CORS Configuration for Public API

front/config/cors.ts

@@ -0,0 +1,20 @@
+const ALLOWED_ORIGINS = ["https://front-ext.dust.tt"] as const;
+type AllowedOriginType = (typeof ALLOWED_ORIGINS)[number];
+
+export function isAllowedOrigin(origin: string): origin is AllowedOriginType {
+  return ALLOWED_ORIGINS.includes(origin as AllowedOriginType);
+}
+
+export const ALLOWED_HEADERS = [
+  "authorization",
+  "content-type",
+  "x-commit-hash",
+  "x-dust-extension-version",
+  "x-hackerone-research",
+  "x-request-origin",
+] as const;
+type AllowedHeaderType = (typeof ALLOWED_HEADERS)[number];
+
+export function isAllowedHeader(header: string): header is AllowedHeaderType {
+  return ALLOWED_HEADERS.includes(header as AllowedHeaderType);
+}

front/middleware.ts

@@ -1,6 +1,12 @@
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
 
+import {
+  ALLOWED_HEADERS,
+  isAllowedHeader,
+  isAllowedOrigin,
+} from "@app/config/cors";
+
 export function middleware(request: NextRequest) {
   const url = request.nextUrl.pathname;
 
@@ -49,9 +55,94 @@ export function middleware(request: NextRequest) {
     });
   }
 
+  // Handle CORS only for public API endpoints.
+  if (url.startsWith("/api/v1")) {
+    if (request.method === "OPTIONS") {
+      // Handle preflight request.
+      const response = new NextResponse(null, { status: 200 });
+      return handleCors(response, request);
+    }
+
+    // Handle actual request.
+    const response = NextResponse.next();
+    return handleCors(response, request);
+  }
+
   return NextResponse.next();
 }
 
+function handleCors(
+  response: NextResponse,
+  request: NextRequest
+): NextResponse {
+  const corsResponseError = setCorsHeaders(response, request);
+  if (corsResponseError) {
+    // If setCorsHeaders returned a response, it's an error.
+    return corsResponseError;
+  }
+
+  return response;
+}
+
+function setCorsHeaders(
+  response: NextResponse,
+  request: NextRequest
+): NextResponse | undefined {
+  const origin = request.headers.get("origin");
+  const requestHeaders = request.headers
+    .get("access-control-request-headers")
+    ?.toLowerCase();
+
+  // If this is a preflight request checking headers.
+  if (request.method === "OPTIONS" && requestHeaders) {
+    const requestedHeaders = requestHeaders.split(",").map((h) => h.trim());
+    const hasUnallowedHeader = requestedHeaders.some(
+      (header) => !isAllowedHeader(header)
+    );
+
+    if (hasUnallowedHeader) {
+      return new NextResponse(null, {
+        status: 403,
+        statusText: "Forbidden: Unauthorized Headers",
+      });
+    }
+  }
+
+  // Check origin.
+  if (!origin) {
+    return new NextResponse(null, {
+      status: 403,
+      statusText: "Forbidden: Missing Origin",
+    });
+  }
+
+  // Check if origin is allowed (prod or dev).
+
+  // Cannot use helper functions like isDevelopment() in Edge Runtime middleware since they are not
+  // bundled. Must check NODE_ENV directly.
+  const isDevelopment = process.env.NODE_ENV === "development";
+  if (isDevelopment || isAllowedOrigin(origin)) {
+    response.headers.set("Access-Control-Allow-Origin", origin);
+    response.headers.set("Access-Control-Allow-Credentials", "true");
+  } else {
+    return new NextResponse(null, {
+      status: 403,
+      statusText: "Forbidden: Unauthorized Origin",
+    });
+  }
+
+  response.headers.set(
+    "Access-Control-Allow-Methods",
+    "GET, POST, PUT, DELETE, OPTIONS"
+  );
+  response.headers.set(
+    "Access-Control-Allow-Headers",
+    ALLOWED_HEADERS.join(", ")
+  );
+
+  return undefined;
+}
+
 export const config = {
   matcher: "/:path*",
 };