"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
const exotic_1 = require("exotic");
const log_1 = require("../log");
/**
* @todo https://github.com/expressjs/cors/blob/master/lib/index.js#L117
* @api https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Vary
* @todo - could use process.env for origin?
*
* 1. configureMaxAge
* 2. configureExposedHeaders (_Access-Control-Allow-Headers_)
*/
const FIXME_EMPTY_REQ = {
get(x) {
return '';
},
protocol: undefined,
};
const toHost = (req = FIXME_EMPTY_REQ) => (req.get('host') || req.host || process.env.GRAPHQL_API_URL || '')
.replace('http://', '')
.replace('https://', '');
const toProtocol = (req = FIXME_EMPTY_REQ) => req.protocol || process.env.HTTPS === 'true' ? 'https:' : 'http:';
function toHostWithProtocol(req) {
const host = toHost(req);
const protocol = toProtocol(req);
const _hostWithProtocol = `${protocol}//${host}`;
const hostWithProtocol = _hostWithProtocol === 'http://0.0.0.0:4000'
? 'http://localhost:3000'
: _hostWithProtocol;
return hostWithProtocol;
}
exports.toHostWithProtocol = toHostWithProtocol;
function securityOriginHandler(req, res, next = exotic_1.NO_OP) {
const host = toHost(req);
// const IS_PROD = process.env.NODE_ENV === 'production'
// @note was this IS_PROD ? process.env.JAVA_API_URL @@dynamicDeploy
const hostWithProtocol = toHostWithProtocol(req);
const whitelist = global.whitelist || [];
const didFindSafe = whitelist.find(whitelistHost => {
/**
* @todo @note @michael hardcoding true until apis is 100% perfect
*/
const isSafe = whitelistHost.includes(host) ||
// includes(host, whitelistHost) ||
// match(whitelistHost, host) ||
true;
if (isSafe === true) {
log_1.logger.debug('[uxui-graphql] isSafe origin: ', hostWithProtocol);
res.setHeader('Access-Control-Allow-Credentials', true);
res.setHeader('Access-Control-Allow-Origin', hostWithProtocol);
res.setHeader('Access-Control-Allow-Headers', 'content-type');
res.setHeader('Access-Control-Allow-Methods', 'GET,HEAD,PUT,PATCH,POST,DELETE');
req.isSafe = true;
// https://github.com/expressjs/cors/blob/master/lib/index.js#L64
// res.setHeader('Vary', 'Origin')
return true;
}
return false;
});
// if it gets to here...
// @too - could stop and not to to next?
if (!req.isSafe) {
log_1.logger.warn('[uxui-graphql] WARNING: unsafe origin:', hostWithProtocol);
}
return next();
}
function securityOptionsHandler(req, res, next) {
// Safari (and potentially other browsers) need content-length 0,
// for 204 or they just hang waiting for a body
res.statusCode = 204;
res.setHeader('Content-Length', '0');
res.end();
}
function securityOriginMiddleware(req, res, next) {
const method = req.method;
if (method === 'OPTIONS') {
securityOriginHandler(req, res);
securityOptionsHandler(req, res);
}
else {
securityOriginHandler(req, res, next);
}
}
exports.securityOriginMiddleware = securityOriginMiddleware;
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjdXJpdHkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvZGVwcy9zZWN1cml0eS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUtBLG1DQUE4QjtBQUM5QixnQ0FBK0I7QUFFL0I7Ozs7Ozs7R0FPRztBQUNILE1BQU0sZUFBZSxHQUFHO0lBQ3RCLEdBQUcsQ0FBQyxDQUFPO1FBQ1QsT0FBTyxFQUFFLENBQUE7SUFDWCxDQUFDO0lBQ0QsUUFBUSxFQUFFLFNBQVM7Q0FDYixDQUFBO0FBRVIsTUFBTSxNQUFNLEdBQUcsQ0FBQyxNQUFlLGVBQWUsRUFBRSxFQUFFLENBQ2hELENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsSUFBSSxHQUFHLENBQUMsSUFBSSxJQUFJLE9BQU8sQ0FBQyxHQUFHLENBQUMsZUFBZSxJQUFJLEVBQUUsQ0FBQztLQUMvRCxPQUFPLENBQUMsU0FBUyxFQUFFLEVBQUUsQ0FBQztLQUN0QixPQUFPLENBQUMsVUFBVSxFQUFFLEVBQUUsQ0FBQyxDQUFBO0FBRTVCLE1BQU0sVUFBVSxHQUFHLENBQUMsTUFBZSxlQUFlLEVBQUUsRUFBRSxDQUNwRCxHQUFHLENBQUMsUUFBUSxJQUFJLE9BQU8sQ0FBQyxHQUFHLENBQUMsS0FBSyxLQUFLLE1BQU0sQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUE7QUFFbkUsU0FBUyxrQkFBa0IsQ0FBQyxHQUFhO0lBQ3ZDLE1BQU0sSUFBSSxHQUFHLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQTtJQUN4QixNQUFNLFFBQVEsR0FBRyxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUE7SUFDaEMsTUFBTSxpQkFBaUIsR0FBRyxHQUFHLFFBQVEsS0FBSyxJQUFJLEVBQUUsQ0FBQTtJQUNoRCxNQUFNLGdCQUFnQixHQUNwQixpQkFBaUIsS0FBSyxxQkFBcUI7UUFDekMsQ0FBQyxDQUFDLHVCQUF1QjtRQUN6QixDQUFDLENBQUMsaUJBQWlCLENBQUE7SUFDdkIsT0FBTyxnQkFBZ0IsQ0FBQTtBQUN6QixDQUFDO0FBd0VrQyxnREFBa0I7QUF0RXJELFNBQVMscUJBQXFCLENBQUMsR0FBWSxFQUFFLEdBQWEsRUFBRSxJQUFJLEdBQUcsY0FBSztJQUN0RSxNQUFNLElBQUksR0FBRyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUE7SUFDeEIsd0RBQXdEO0lBQ3hELG9FQUFvRTtJQUNwRSxNQUFNLGdCQUFnQixHQUFHLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxDQUFBO0lBRWhELE1BQU0sU0FBUyxHQUFJLE1BQWMsQ0FBQyxTQUFTLElBQUksRUFBRSxDQUFBO0lBQ2pELE1BQU0sV0FBVyxHQUFHLFNBQVMsQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLEVBQUU7UUFDakQ7O1dBRUc7UUFDSCxNQUFNLE1BQU0sR0FDVixhQUFhLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQztZQUM1QixtQ0FBbUM7WUFDbkMsZ0NBQWdDO1lBQ2hDLElBQUksQ0FBQTtRQUVOLElBQUksTUFBTSxLQUFLLElBQUksRUFBRTtZQUNuQixZQUFNLENBQUMsS0FBSyxDQUFDLGdDQUFnQyxFQUFFLGdCQUFnQixDQUFDLENBQUE7WUFDaEUsR0FBRyxDQUFDLFNBQVMsQ0FBQyxrQ0FBa0MsRUFBRSxJQUFJLENBQUMsQ0FBQTtZQUN2RCxHQUFHLENBQUMsU0FBUyxDQUFDLDZCQUE2QixFQUFFLGdCQUFnQixDQUFDLENBQUE7WUFDOUQsR0FBRyxDQUFDLFNBQVMsQ0FBQyw4QkFBOEIsRUFBRSxjQUFjLENBQUMsQ0FBQTtZQUM3RCxHQUFHLENBQUMsU0FBUyxDQUNYLDhCQUE4QixFQUM5QixnQ0FBZ0MsQ0FDakMsQ0FBQTtZQUNELEdBQUcsQ0FBQyxNQUFNLEdBQUcsSUFBSSxDQUFBO1lBQ2pCLGlFQUFpRTtZQUNqRSxrQ0FBa0M7WUFDbEMsT0FBTyxJQUFJLENBQUE7U0FDWjtRQUVELE9BQU8sS0FBSyxDQUFBO0lBQ2QsQ0FBQyxDQUFDLENBQUE7SUFFRix3QkFBd0I7SUFDeEIsd0NBQXdDO0lBQ3hDLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFO1FBQ2YsWUFBTSxDQUFDLElBQUksQ0FBQyx3Q0FBd0MsRUFBRSxnQkFBZ0IsQ0FBQyxDQUFBO0tBQ3hFO0lBRUQsT0FBTyxJQUFJLEVBQUUsQ0FBQTtBQUNmLENBQUM7QUFFRCxTQUFTLHNCQUFzQixDQUM3QixHQUFZLEVBQ1osR0FBYSxFQUNiLElBQW1CO0lBRW5CLGlFQUFpRTtJQUNqRSxpREFBaUQ7SUFDakQsR0FBRyxDQUFDLFVBQVUsR0FBRyxHQUFHLENBQUE7SUFDcEIsR0FBRyxDQUFDLFNBQVMsQ0FBQyxnQkFBZ0IsRUFBRSxHQUFHLENBQUMsQ0FBQTtJQUNwQyxHQUFHLENBQUMsR0FBRyxFQUFFLENBQUE7QUFDWCxDQUFDO0FBRUQsU0FBUyx3QkFBd0IsQ0FDL0IsR0FBWSxFQUNaLEdBQWEsRUFDYixJQUFrQjtJQUVsQixNQUFNLE1BQU0sR0FBRyxHQUFHLENBQUMsTUFBTSxDQUFBO0lBQ3pCLElBQUksTUFBTSxLQUFLLFNBQVMsRUFBRTtRQUN4QixxQkFBcUIsQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUE7UUFDL0Isc0JBQXNCLENBQUMsR0FBRyxFQUFFLEdBQUcsQ0FBQyxDQUFBO0tBQ2pDO1NBQU07UUFDTCxxQkFBcUIsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLElBQUksQ0FBQyxDQUFBO0tBQ3RDO0FBQ0gsQ0FBQztBQUVRLDREQUF3QiJ9