chore: Update CORS_ALLOWLIST on staging and production [skip pizza]

theopensystemslab · Sep 9, 2024 · 7153823 · 7153823
1 parent bbf9f26
commit 7153823
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -122,6 +122,7 @@ services:
       AWS_S3_REGION: ${AWS_S3_REGION}
       AWS_SECRET_KEY: ${AWS_SECRET_KEY}
       BOPS_API_TOKEN: ${BOPS_API_TOKEN}
+      # This is controlled via generateCORSAllowList() in staging and production
       CORS_ALLOWLIST: ${EDITOR_URL_EXT}, ${API_URL_EXT}, https://login.live.com, https://login.microsoftonline.com
       EDITOR_URL_EXT: ${EDITOR_URL_EXT}
       ENCRYPTION_KEY: ${ENCRYPTION_KEY}

diff --git a/infrastructure/application/utils/generateCORSAllowList.ts b/infrastructure/application/utils/generateCORSAllowList.ts
@@ -6,7 +6,13 @@ export const generateCORSAllowList = (customDomains: CustomDomains, domain: stri
   const customDomainURLs = customDomains.map(team => `https://${team.domain}`);
   const editorURL = `https://${domain}`;
   const apiURL = `https://api.${domain}`; // Required for requests from API docs
-  const corsAllowList = [...customDomainURLs, editorURL, apiURL];
+  const microsoftLoginURLs = ["https://login.live.com, https://login.microsoftonline.com"];
+  const corsAllowList = [
+    ...customDomainURLs,
+    editorURL,
+    apiURL,
+    ...microsoftLoginURLs,
+  ];
 
   const secret: awsx.ecs.KeyValuePair = {
     name: "CORS_ALLOWLIST",