From 7153823c96c3055d483735c30ba758133132c334 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Mon, 9 Sep 2024 14:33:00 +0100
Subject: [PATCH] chore: Update CORS_ALLOWLIST on staging and production [skip
 pizza]

---
 docker-compose.yml                                        | 1 +
 infrastructure/application/utils/generateCORSAllowList.ts | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0f9affb694..1a0df54e32 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -122,6 +122,7 @@ services:
       AWS_S3_REGION: ${AWS_S3_REGION}
       AWS_SECRET_KEY: ${AWS_SECRET_KEY}
       BOPS_API_TOKEN: ${BOPS_API_TOKEN}
+      # This is controlled via generateCORSAllowList() in staging and production
       CORS_ALLOWLIST: ${EDITOR_URL_EXT}, ${API_URL_EXT}, https://login.live.com, https://login.microsoftonline.com
       EDITOR_URL_EXT: ${EDITOR_URL_EXT}
       ENCRYPTION_KEY: ${ENCRYPTION_KEY}
diff --git a/infrastructure/application/utils/generateCORSAllowList.ts b/infrastructure/application/utils/generateCORSAllowList.ts
index 1eb8238a90..8f7155fd0f 100644
--- a/infrastructure/application/utils/generateCORSAllowList.ts
+++ b/infrastructure/application/utils/generateCORSAllowList.ts
@@ -6,7 +6,13 @@ export const generateCORSAllowList = (customDomains: CustomDomains, domain: stri
   const customDomainURLs = customDomains.map(team => `https://${team.domain}`);
   const editorURL = `https://${domain}`;
   const apiURL = `https://api.${domain}`; // Required for requests from API docs
-  const corsAllowList = [...customDomainURLs, editorURL, apiURL];
+  const microsoftLoginURLs = ["https://login.live.com, https://login.microsoftonline.com"];
+  const corsAllowList = [
+    ...customDomainURLs,
+    editorURL,
+    apiURL,
+    ...microsoftLoginURLs,
+  ];
 
   const secret: awsx.ecs.KeyValuePair = {
     name: "CORS_ALLOWLIST",