Skip to content

Revert "CORS Configuration for Public API" #11522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Revert "CORS Configuration for Public API" #11522

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 0 additions & 20 deletions front/config/cors.ts
View file
Open in desktop

This file was deleted.

91 changes: 0 additions & 91 deletions front/middleware.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,6 @@
import type { NextRequest } from "next/server";
import { NextResponse } from "next/server";

import {
ALLOWED_HEADERS,
isAllowedHeader,
isAllowedOrigin,
} from "@app/config/cors";

export function middleware(request: NextRequest) {
const url = request.nextUrl.pathname;

Expand Down Expand Up @@ -55,94 +49,9 @@ export function middleware(request: NextRequest) {
});
}

// Handle CORS only for public API endpoints.
if (url.startsWith("/api/v1")) {
if (request.method === "OPTIONS") {
// Handle preflight request.
const response = new NextResponse(null, { status: 200 });
return handleCors(response, request);
}

// Handle actual request.
const response = NextResponse.next();
return handleCors(response, request);
}

return NextResponse.next();
}

function handleCors(
response: NextResponse,
request: NextRequest
): NextResponse {
const corsResponseError = setCorsHeaders(response, request);
if (corsResponseError) {
// If setCorsHeaders returned a response, it's an error.
return corsResponseError;
}

return response;
}

function setCorsHeaders(
response: NextResponse,
request: NextRequest
): NextResponse | undefined {
const origin = request.headers.get("origin");
const requestHeaders = request.headers
.get("access-control-request-headers")
?.toLowerCase();

// If this is a preflight request checking headers.
if (request.method === "OPTIONS" && requestHeaders) {
const requestedHeaders = requestHeaders.split(",").map((h) => h.trim());
const hasUnallowedHeader = requestedHeaders.some(
(header) => !isAllowedHeader(header)
);

if (hasUnallowedHeader) {
return new NextResponse(null, {
status: 403,
statusText: "Forbidden: Unauthorized Headers",
});
}
}

// Check origin.
if (!origin) {
return new NextResponse(null, {
status: 403,
statusText: "Forbidden: Missing Origin",
});
}

// Check if origin is allowed (prod or dev).

// Cannot use helper functions like isDevelopment() in Edge Runtime middleware since they are not
// bundled. Must check NODE_ENV directly.
const isDevelopment = process.env.NODE_ENV === "development";
if (isDevelopment || isAllowedOrigin(origin)) {
response.headers.set("Access-Control-Allow-Origin", origin);
response.headers.set("Access-Control-Allow-Credentials", "true");
} else {
return new NextResponse(null, {
status: 403,
statusText: "Forbidden: Unauthorized Origin",
});
}

response.headers.set(
"Access-Control-Allow-Methods",
"GET, POST, PUT, DELETE, OPTIONS"
);
response.headers.set(
"Access-Control-Allow-Headers",
ALLOWED_HEADERS.join(", ")
);

return undefined;
}

export const config = {
matcher: "/:path*",
};