add CORS to main api

2016-06-08 14:05:10 -04:00 · 2016-06-08 14:05:10 -04:00 · 7525b7d0a7
parent e24dd9bac6
commit 7525b7d0a7
3 changed files with 70 additions and 43 deletions
--- a/lib/apis.js
+++ b/lib/apis.js
@ -220,33 +220,44 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
    };
  }

+  var CORS = require('connect-cors');
+  var cors = CORS({ credentials: true, headers: [
+    'X-Requested-With'
+  , 'X-HTTP-Method-Override'
+  , 'Content-Type'
+  , 'Accept'
+  , 'Authorization'
+  ], methods: [ "GET", "POST", "PATCH", "PUT", "DELETE" ] });
+
  return function (req, res, next) {
-    var experienceId = req.hostname + req.url.replace(/\/api\/.*/, '/').replace(/\/+/g, '#').replace(/#$/, '');
-    var apiId = req.url.replace(/.*\/api\//, '').replace(/\/.*/, '');
+    cors(req, res, function () {
+      var experienceId = req.hostname + req.url.replace(/\/api\/.*/, '/').replace(/\/+/g, '#').replace(/#$/, '');
+      var apiId = req.url.replace(/.*\/api\//, '').replace(/\/.*/, '');

-    Object.defineProperty(req, 'experienceId', {
-      enumerable: true
-    , configurable: false
-    , writable: false
-      // TODO this identifier may need to be non-deterministic as to transfer if a domain name changes but is still the "same" app
-      // (i.e. a company name change. maybe auto vs manual register - just like oauth3?)
-      // NOTE: probably best to alias the name logically
-    , value: experienceId
+      Object.defineProperty(req, 'experienceId', {
+        enumerable: true
+      , configurable: false
+      , writable: false
+        // TODO this identifier may need to be non-deterministic as to transfer if a domain name changes but is still the "same" app
+        // (i.e. a company name change. maybe auto vs manual register - just like oauth3?)
+        // NOTE: probably best to alias the name logically
+      , value: experienceId
+      });
+      Object.defineProperty(req, 'apiId', {
+        enumerable: true
+      , configurable: false
+      , writable: false
+      , value: apiId
+      });
+
+      if (!localCache.apis[experienceId]) {
+        localCache.apis[experienceId] = { handler: loadApiHandler(experienceId), createdAt: Date.now() };
+      }
+
+      localCache.apis[experienceId].handler(req, res, next);
+      if (Date.now() - localCache.apis[experienceId].createdAt > (5 * 60 * 1000)) {
+        localCache.apis[experienceId] = { handler: loadApiHandler(experienceId), createdAt: Date.now() };
+      }
    });
-    Object.defineProperty(req, 'apiId', {
-      enumerable: true
-    , configurable: false
-    , writable: false
-    , value: apiId
-    });
-
-    if (!localCache.apis[experienceId]) {
-      localCache.apis[experienceId] = { handler: loadApiHandler(experienceId), createdAt: Date.now() };
-    }
-
-    localCache.apis[experienceId].handler(req, res, next);
-    if (Date.now() - localCache.apis[experienceId].createdAt > (5 * 60 * 1000)) {
-      localCache.apis[experienceId] = { handler: loadApiHandler(experienceId), createdAt: Date.now() };
-    }
  };
 };
--- a/lib/bootstrap.js
+++ b/lib/bootstrap.js
@ -48,10 +48,9 @@ module.exports.create = function (app, xconfx, models) {

    function errorIfNotApi(req, res, next) {
      // if it's not an ip address
-      if (/[a-z]+/.test(req.headers.host)) {
-        if (!/^api\./.test(req.headers.host)) {
-          console.log('req.headers.host');
-          console.log(req.headers.host);
+      if (/[a-z]+/.test(req.hostname || req.headers.host)) {
+        if (!/^api\./.test(req.hostname || req.headers.host)) {
+          console.warn('not API req.headers.host:', req.hostname || req.headers.host);
          res.send({ error: { message: "no api. subdomain prefix" } });
          return;
        }
--- a/lib/main.js
+++ b/lib/main.js
@ -10,6 +10,8 @@ module.exports.create = function (app, xconfx, apiFactories, apiDeps) {
  var apiApp;
  var setupDomain = xconfx.setupDomain = ('cloud.' + xconfx.primaryDomain);
  var setupApp;
+  var CORS;
+  var cors;

  function redirectHttpsHelper(req, res) {
    var host = req.hostname || req.headers.host || '';
@ -58,6 +60,20 @@ module.exports.create = function (app, xconfx, apiFactories, apiDeps) {
    res.end(metaRedirect);
  }

+  function redirectSetup(reason, req, res/*, next*/) {
+    var url = 'https://cloud.' + xconfx.primaryDomain;
+
+    if (443 !== xconfx.externalPort) {
+      url += ':' + xconfx.externalPort;
+    }
+
+    url += '#referrer=' + reason;
+
+    res.statusCode = 302;
+    res.setHeader('Location', url);
+    res.end();
+  }
+
  function redirectHttps(req, res) {
    if (localCache.le[req.hostname]) {
      if (localCache.le[req.hostname].conf) {
@ -222,20 +238,6 @@ module.exports.create = function (app, xconfx, apiFactories, apiDeps) {
    });
  }

-  function redirectSetup(reason, req, res/*, next*/) {
-    var url = 'https://cloud.' + xconfx.primaryDomain;
-
-    if (443 !== xconfx.externalPort) {
-      url += ':' + xconfx.externalPort;
-    }
-
-    url += '#referrer=' + reason;
-
-    res.statusCode = 302;
-    res.setHeader('Location', url);
-    res.end();
-  }
-
  function serveStatic(req, res, next) {
    // If we get this far we can be pretty confident that
    // the domain was already set up because it's encrypted
@ -274,6 +276,21 @@ module.exports.create = function (app, xconfx, apiFactories, apiDeps) {
      if (!apiApp) {
        apiApp = require('./apis').create(xconfx, apiFactories, apiDeps);
      }
+
+      if (/^OPTIONS$/i.test(req.method)) {
+        if (!cors) {
+          CORS = require('connect-cors');
+          cors = CORS({ credentials: true, headers: [
+            'X-Requested-With'
+          , 'X-HTTP-Method-Override'
+          , 'Content-Type'
+          , 'Accept'
+          , 'Authorization'
+          ], methods: [ "GET", "POST", "PATCH", "PUT", "DELETE" ] });
+        }
+        cors(req, res, apiApp);
+      }
+
      apiApp(req, res, next);
      return;
    }