From 00484ef438288e55bb06fea4e5e7d54b298f2540 Mon Sep 17 00:00:00 2001 From: Marc Derhammer Date: Tue, 25 Apr 2023 12:36:26 -0400 Subject: [PATCH 1/9] feat: Allow multiple origins --- spec/Middlewares.spec.js | 29 +++++++++++++++++++++++++++++ src/Options/Definitions.js | 2 +- src/Options/docs.js | 2 +- src/Options/index.js | 4 ++-- src/middlewares.js | 12 ++++++++++-- 5 files changed, 43 insertions(+), 6 deletions(-) diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js index 12bfc59bf7..52661a5847 100644 --- a/spec/Middlewares.spec.js +++ b/spec/Middlewares.spec.js @@ -287,6 +287,35 @@ describe('middlewares', () => { expect(headers['Access-Control-Allow-Origin']).toEqual('https://parseplatform.org/'); }); + it('should support multiple origins if several are defined in allowOrigin', () => { + AppCache.put(fakeReq.body._ApplicationId, { + allowOrigin: 'https://a.com,https://b.com,https://c.com', + }); + const headers = {}; + const res = { + header: (key, value) => { + headers[key] = value; + }, + }; + const allowCrossDomain = middlewares.allowCrossDomain(fakeReq.body._ApplicationId); + // Test with the first domain + fakeReq.headers.origin = 'https://a.com'; + allowCrossDomain(fakeReq, res, () => {}); + expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com'); + // Test with the second domain + fakeReq.headers.origin = 'https://b.com'; + allowCrossDomain(fakeReq, res, () => {}); + expect(headers['Access-Control-Allow-Origin']).toEqual('https://b.com'); + // Test with the third domain + fakeReq.headers.origin = 'https://c.com'; + allowCrossDomain(fakeReq, res, () => {}); + expect(headers['Access-Control-Allow-Origin']).toEqual('https://c.com'); + // Test with an unauthorized domain + fakeReq.headers.origin = 'https://unauthorized.com'; + allowCrossDomain(fakeReq, res, () => {}); + expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com'); + }); + it('should use user provided on field userFromJWT', done => { AppCache.put(fakeReq.body._ApplicationId, { masterKey: 'masterKey', diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index b2f0542256..4ab59bac52 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -81,7 +81,7 @@ module.exports.ParseServerOptions = { }, allowOrigin: { env: 'PARSE_SERVER_ALLOW_ORIGIN', - help: 'Sets the origin to Access-Control-Allow-Origin', + help: 'Sets the origins to Access-Control-Allow-Origin', }, analyticsAdapter: { env: 'PARSE_SERVER_ANALYTICS_ADAPTER', diff --git a/src/Options/docs.js b/src/Options/docs.js index 1ab8c03d58..3f20e9b682 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -16,7 +16,7 @@ * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`. * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers - * @property {String} allowOrigin Sets the origin to Access-Control-Allow-Origin + * @property {String[]} allowOrigin Sets the origins to Access-Control-Allow-Origin * @property {Adapter} analyticsAdapter Adapter module for the analytics * @property {String} appId Your Parse Application ID * @property {String} appName Sets the app name diff --git a/src/Options/index.js b/src/Options/index.js index a4d83f94fc..c880cb6173 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -61,8 +61,8 @@ export interface ParseServerOptions { appName: ?string; /* Add headers to Access-Control-Allow-Headers */ allowHeaders: ?(string[]); - /* Sets the origin to Access-Control-Allow-Origin */ - allowOrigin: ?string; + /* Sets the origins to Access-Control-Allow-Origin */ + allowOrigin: ?(string[]); /* Adapter module for the analytics */ analyticsAdapter: ?Adapter; /* Adapter module for the files sub-system */ diff --git a/src/middlewares.js b/src/middlewares.js index 0dca33135e..2ffea7c39e 100644 --- a/src/middlewares.js +++ b/src/middlewares.js @@ -384,8 +384,16 @@ export function allowCrossDomain(appId) { if (config && config.allowHeaders) { allowHeaders += `, ${config.allowHeaders.join(', ')}`; } - const allowOrigin = (config && config.allowOrigin) || '*'; - res.header('Access-Control-Allow-Origin', allowOrigin); + + // Support for multiple origins + const allowedOrigins = + config && config.allowOrigin + ? config.allowOrigin.split(',').map(domain => domain.trim()) + : ['*']; + const requestOrigin = req.headers.origin; + const originToSet = + requestOrigin && allowedOrigins.includes(requestOrigin) ? requestOrigin : allowedOrigins[0]; + res.header('Access-Control-Allow-Origin', originToSet); res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS'); res.header('Access-Control-Allow-Headers', allowHeaders); res.header('Access-Control-Expose-Headers', 'X-Parse-Job-Status-Id, X-Parse-Push-Status-Id'); From f88daeb0219f3d90619e2cbb6dae865dbe4ee197 Mon Sep 17 00:00:00 2001 From: Marc Derhammer Date: Thu, 27 Apr 2023 09:52:08 -0400 Subject: [PATCH 2/9] fix typing and add a note to the description that this string can be comma delimited for multiple domains --- src/Options/Definitions.js | 3 ++- src/Options/docs.js | 2 +- src/Options/index.js | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 4ab59bac52..e221fb84e4 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -81,7 +81,8 @@ module.exports.ParseServerOptions = { }, allowOrigin: { env: 'PARSE_SERVER_ALLOW_ORIGIN', - help: 'Sets the origins to Access-Control-Allow-Origin', + help: + 'Sets the origin to Access-Control-Allow-Origin. Can be comma delimited if multiple should be supported', }, analyticsAdapter: { env: 'PARSE_SERVER_ANALYTICS_ADAPTER', diff --git a/src/Options/docs.js b/src/Options/docs.js index 3f20e9b682..1ab8c03d58 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -16,7 +16,7 @@ * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`. * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers - * @property {String[]} allowOrigin Sets the origins to Access-Control-Allow-Origin + * @property {String} allowOrigin Sets the origin to Access-Control-Allow-Origin * @property {Adapter} analyticsAdapter Adapter module for the analytics * @property {String} appId Your Parse Application ID * @property {String} appName Sets the app name diff --git a/src/Options/index.js b/src/Options/index.js index c880cb6173..39a042bfe6 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -61,8 +61,8 @@ export interface ParseServerOptions { appName: ?string; /* Add headers to Access-Control-Allow-Headers */ allowHeaders: ?(string[]); - /* Sets the origins to Access-Control-Allow-Origin */ - allowOrigin: ?(string[]); + /* Sets the origin to Access-Control-Allow-Origin. Can be comma delimited to support multiple */ + allowOrigin: ?string; /* Adapter module for the analytics */ analyticsAdapter: ?Adapter; /* Adapter module for the files sub-system */ From 15a25de640bf4d9005efb7291cb609d8e0607c0b Mon Sep 17 00:00:00 2001 From: Marc Derhammer Date: Thu, 27 Apr 2023 13:07:09 -0400 Subject: [PATCH 3/9] support either string or array for the allowOrigin option Added a test for when an array is set as the allowOrigin value --- spec/Middlewares.spec.js | 31 ++++++++++++++++++++++++++++++- src/Options/Definitions.js | 2 +- src/Options/docs.js | 2 +- src/Options/index.js | 4 ++-- src/middlewares.js | 11 +++++++---- 5 files changed, 41 insertions(+), 9 deletions(-) diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js index 52661a5847..0eb3b219af 100644 --- a/spec/Middlewares.spec.js +++ b/spec/Middlewares.spec.js @@ -287,7 +287,7 @@ describe('middlewares', () => { expect(headers['Access-Control-Allow-Origin']).toEqual('https://parseplatform.org/'); }); - it('should support multiple origins if several are defined in allowOrigin', () => { + it('should support multiple origins if several are defined in allowOrigin as a comma delimited string', () => { AppCache.put(fakeReq.body._ApplicationId, { allowOrigin: 'https://a.com,https://b.com,https://c.com', }); @@ -316,6 +316,35 @@ describe('middlewares', () => { expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com'); }); + it('should support multiple origins if several are defined in allowOrigin as an array', () => { + AppCache.put(fakeReq.body._ApplicationId, { + allowOrigin: ['https://a.com', 'https://b.com', 'https://c.com'], + }); + const headers = {}; + const res = { + header: (key, value) => { + headers[key] = value; + }, + }; + const allowCrossDomain = middlewares.allowCrossDomain(fakeReq.body._ApplicationId); + // Test with the first domain + fakeReq.headers.origin = 'https://a.com'; + allowCrossDomain(fakeReq, res, () => {}); + expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com'); + // Test with the second domain + fakeReq.headers.origin = 'https://b.com'; + allowCrossDomain(fakeReq, res, () => {}); + expect(headers['Access-Control-Allow-Origin']).toEqual('https://b.com'); + // Test with the third domain + fakeReq.headers.origin = 'https://c.com'; + allowCrossDomain(fakeReq, res, () => {}); + expect(headers['Access-Control-Allow-Origin']).toEqual('https://c.com'); + // Test with an unauthorized domain + fakeReq.headers.origin = 'https://unauthorized.com'; + allowCrossDomain(fakeReq, res, () => {}); + expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com'); + }); + it('should use user provided on field userFromJWT', done => { AppCache.put(fakeReq.body._ApplicationId, { masterKey: 'masterKey', diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index e221fb84e4..67890de2ce 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -82,7 +82,7 @@ module.exports.ParseServerOptions = { allowOrigin: { env: 'PARSE_SERVER_ALLOW_ORIGIN', help: - 'Sets the origin to Access-Control-Allow-Origin. Can be comma delimited if multiple should be supported', + 'Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple', }, analyticsAdapter: { env: 'PARSE_SERVER_ANALYTICS_ADAPTER', diff --git a/src/Options/docs.js b/src/Options/docs.js index 1ab8c03d58..b145392b17 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -16,7 +16,7 @@ * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`. * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers - * @property {String} allowOrigin Sets the origin to Access-Control-Allow-Origin + * @property {Union} allowOrigin Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple * @property {Adapter} analyticsAdapter Adapter module for the analytics * @property {String} appId Your Parse Application ID * @property {String} appName Sets the app name diff --git a/src/Options/index.js b/src/Options/index.js index 39a042bfe6..8d4b068403 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -61,8 +61,8 @@ export interface ParseServerOptions { appName: ?string; /* Add headers to Access-Control-Allow-Headers */ allowHeaders: ?(string[]); - /* Sets the origin to Access-Control-Allow-Origin. Can be comma delimited to support multiple */ - allowOrigin: ?string; + /* Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple */ + allowOrigin: ?(string | string[]); /* Adapter module for the analytics */ analyticsAdapter: ?Adapter; /* Adapter module for the files sub-system */ diff --git a/src/middlewares.js b/src/middlewares.js index 2ffea7c39e..f558443ea7 100644 --- a/src/middlewares.js +++ b/src/middlewares.js @@ -386,10 +386,13 @@ export function allowCrossDomain(appId) { } // Support for multiple origins - const allowedOrigins = - config && config.allowOrigin - ? config.allowOrigin.split(',').map(domain => domain.trim()) - : ['*']; + let allowedOrigins = config && config.allowOrigin ? config.allowOrigin : ['*']; + + // Convert comma-separated string to an array if needed + if (typeof allowedOrigins === 'string') { + allowedOrigins = allowedOrigins.split(',').map(domain => domain.trim()); + } + const requestOrigin = req.headers.origin; const originToSet = requestOrigin && allowedOrigins.includes(requestOrigin) ? requestOrigin : allowedOrigins[0]; From 56a01ccfdbee8770d0c24898fdf8d8e4bbc1789a Mon Sep 17 00:00:00 2001 From: Marc Derhammer Date: Thu, 27 Apr 2023 13:31:40 -0400 Subject: [PATCH 4/9] Update to the buildConfigDefinitions to support String|String[] --- resources/buildConfigDefinitions.js | 6 ++++++ src/Options/Definitions.js | 1 + src/Options/docs.js | 2 +- src/Options/index.js | 3 ++- 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/resources/buildConfigDefinitions.js b/resources/buildConfigDefinitions.js index 3a69217016..e0d33daa4b 100644 --- a/resources/buildConfigDefinitions.js +++ b/resources/buildConfigDefinitions.js @@ -161,6 +161,9 @@ function mapperFor(elt, t) { if (type == 'NumberOrBoolean') { return wrap(t.identifier('numberOrBooleanParser')); } + if (type === 'StringOrStringArray') { + return wrap(t.identifier('arrayParser')); + } return wrap(t.identifier('objectParser')); } } @@ -278,6 +281,9 @@ function inject(t, list) { const adapterType = elt.typeAnnotation.typeParameters.params[0].id.name; type = `Adapter<${adapterType}>`; } + if (type === 'StringOrStringArray') { + type = 'String|String[]'; + } comments += ` * @property {${type}} ${elt.name} ${elt.help}\n`; const obj = t.objectExpression(props); return t.objectProperty(t.stringLiteral(elt.name), obj); diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 67890de2ce..a0cac0434f 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -83,6 +83,7 @@ module.exports.ParseServerOptions = { env: 'PARSE_SERVER_ALLOW_ORIGIN', help: 'Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple', + action: parsers.arrayParser, }, analyticsAdapter: { env: 'PARSE_SERVER_ANALYTICS_ADAPTER', diff --git a/src/Options/docs.js b/src/Options/docs.js index b145392b17..981c6a7a51 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -16,7 +16,7 @@ * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`. * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers - * @property {Union} allowOrigin Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple + * @property {String|String[]} allowOrigin Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple * @property {Adapter} analyticsAdapter Adapter module for the analytics * @property {String} appId Your Parse Application ID * @property {String} appName Sets the app name diff --git a/src/Options/index.js b/src/Options/index.js index 8d4b068403..07fab2d3d0 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -35,6 +35,7 @@ type Adapter = string | any | T; type NumberOrBoolean = number | boolean; type NumberOrString = number | string; type ProtectedFields = any; +type StringOrStringArray = string | string[]; type RequestKeywordDenylist = { key: string | any, value: any, @@ -62,7 +63,7 @@ export interface ParseServerOptions { /* Add headers to Access-Control-Allow-Headers */ allowHeaders: ?(string[]); /* Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple */ - allowOrigin: ?(string | string[]); + allowOrigin: ?StringOrStringArray; /* Adapter module for the analytics */ analyticsAdapter: ?Adapter; /* Adapter module for the files sub-system */ From 5aabe94cc569c3f01c71ed09817975c61ad1ba38 Mon Sep 17 00:00:00 2001 From: Marc Derhammer Date: Thu, 27 Apr 2023 17:23:32 -0400 Subject: [PATCH 5/9] Update src/Options/index.js Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com> Signed-off-by: Marc Derhammer --- src/Options/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Options/index.js b/src/Options/index.js index 07fab2d3d0..009b31a5d5 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -62,7 +62,7 @@ export interface ParseServerOptions { appName: ?string; /* Add headers to Access-Control-Allow-Headers */ allowHeaders: ?(string[]); - /* Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple */ + /* Sets origins for Access-Control-Allow-Origin. This can be a string for a single origin or an array of strings for multiple origins. */ allowOrigin: ?StringOrStringArray; /* Adapter module for the analytics */ analyticsAdapter: ?Adapter; From 8a99d90aa264c37014f219d93887f275d0ff0352 Mon Sep 17 00:00:00 2001 From: Marc Derhammer Date: Thu, 27 Apr 2023 17:30:14 -0400 Subject: [PATCH 6/9] Update src/middlewares.js Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com> Signed-off-by: Marc Derhammer --- src/middlewares.js | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/src/middlewares.js b/src/middlewares.js index f558443ea7..e7fa8c6794 100644 --- a/src/middlewares.js +++ b/src/middlewares.js @@ -385,18 +385,10 @@ export function allowCrossDomain(appId) { allowHeaders += `, ${config.allowHeaders.join(', ')}`; } - // Support for multiple origins - let allowedOrigins = config && config.allowOrigin ? config.allowOrigin : ['*']; - - // Convert comma-separated string to an array if needed - if (typeof allowedOrigins === 'string') { - allowedOrigins = allowedOrigins.split(',').map(domain => domain.trim()); - } - + const baseOrigins = config?.allowOrigin ?? ['*']; const requestOrigin = req.headers.origin; - const originToSet = - requestOrigin && allowedOrigins.includes(requestOrigin) ? requestOrigin : allowedOrigins[0]; - res.header('Access-Control-Allow-Origin', originToSet); + const allowOrigins = requestOrigin && baseOrigins.includes(requestOrigin) ? requestOrigin : baseOrigins[0]; + res.header('Access-Control-Allow-Origin', allowOrigins); res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS'); res.header('Access-Control-Allow-Headers', allowHeaders); res.header('Access-Control-Expose-Headers', 'X-Parse-Job-Status-Id, X-Parse-Push-Status-Id'); From 4b2437219294cc5d0604cb9a7ac3f9993e796cf7 Mon Sep 17 00:00:00 2001 From: Marc Derhammer Date: Thu, 27 Apr 2023 17:37:48 -0400 Subject: [PATCH 7/9] Update definitions --- src/Options/Definitions.js | 2 +- src/Options/docs.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index a0cac0434f..7987363ff2 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -82,7 +82,7 @@ module.exports.ParseServerOptions = { allowOrigin: { env: 'PARSE_SERVER_ALLOW_ORIGIN', help: - 'Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple', + 'Sets origins for Access-Control-Allow-Origin. This can be a string for a single origin or an array of strings for multiple origins.', action: parsers.arrayParser, }, analyticsAdapter: { diff --git a/src/Options/docs.js b/src/Options/docs.js index 981c6a7a51..b5a78aace1 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -16,7 +16,7 @@ * @property {Boolean} allowCustomObjectId Enable (or disable) custom objectId * @property {Boolean} allowExpiredAuthDataToken Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`. * @property {String[]} allowHeaders Add headers to Access-Control-Allow-Headers - * @property {String|String[]} allowOrigin Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple + * @property {String|String[]} allowOrigin Sets origins for Access-Control-Allow-Origin. This can be a string for a single origin or an array of strings for multiple origins. * @property {Adapter} analyticsAdapter Adapter module for the analytics * @property {String} appId Your Parse Application ID * @property {String} appName Sets the app name From 4d16a392b34be5cabc6372f3ad093c9b187be29a Mon Sep 17 00:00:00 2001 From: Marc Derhammer Date: Thu, 27 Apr 2023 17:50:43 -0400 Subject: [PATCH 8/9] Fix for single origin as a string --- src/middlewares.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/middlewares.js b/src/middlewares.js index e7fa8c6794..2e450f3e03 100644 --- a/src/middlewares.js +++ b/src/middlewares.js @@ -385,9 +385,11 @@ export function allowCrossDomain(appId) { allowHeaders += `, ${config.allowHeaders.join(', ')}`; } - const baseOrigins = config?.allowOrigin ?? ['*']; + const baseOrigins = + typeof config?.allowOrigin === 'string' ? [config.allowOrigin] : config?.allowOrigin ?? ['*']; const requestOrigin = req.headers.origin; - const allowOrigins = requestOrigin && baseOrigins.includes(requestOrigin) ? requestOrigin : baseOrigins[0]; + const allowOrigins = + requestOrigin && baseOrigins.includes(requestOrigin) ? requestOrigin : baseOrigins[0]; res.header('Access-Control-Allow-Origin', allowOrigins); res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS'); res.header('Access-Control-Allow-Headers', allowHeaders); From 1db0af10fefb5db8acffa31684b045456c5f26b9 Mon Sep 17 00:00:00 2001 From: Marc Derhammer Date: Thu, 27 Apr 2023 17:51:36 -0400 Subject: [PATCH 9/9] Removed test for comma delimited string option --- spec/Middlewares.spec.js | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js index 0eb3b219af..636e7809f9 100644 --- a/spec/Middlewares.spec.js +++ b/spec/Middlewares.spec.js @@ -287,35 +287,6 @@ describe('middlewares', () => { expect(headers['Access-Control-Allow-Origin']).toEqual('https://parseplatform.org/'); }); - it('should support multiple origins if several are defined in allowOrigin as a comma delimited string', () => { - AppCache.put(fakeReq.body._ApplicationId, { - allowOrigin: 'https://a.com,https://b.com,https://c.com', - }); - const headers = {}; - const res = { - header: (key, value) => { - headers[key] = value; - }, - }; - const allowCrossDomain = middlewares.allowCrossDomain(fakeReq.body._ApplicationId); - // Test with the first domain - fakeReq.headers.origin = 'https://a.com'; - allowCrossDomain(fakeReq, res, () => {}); - expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com'); - // Test with the second domain - fakeReq.headers.origin = 'https://b.com'; - allowCrossDomain(fakeReq, res, () => {}); - expect(headers['Access-Control-Allow-Origin']).toEqual('https://b.com'); - // Test with the third domain - fakeReq.headers.origin = 'https://c.com'; - allowCrossDomain(fakeReq, res, () => {}); - expect(headers['Access-Control-Allow-Origin']).toEqual('https://c.com'); - // Test with an unauthorized domain - fakeReq.headers.origin = 'https://unauthorized.com'; - allowCrossDomain(fakeReq, res, () => {}); - expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com'); - }); - it('should support multiple origins if several are defined in allowOrigin as an array', () => { AppCache.put(fakeReq.body._ApplicationId, { allowOrigin: ['https://a.com', 'https://b.com', 'https://c.com'],