@futdevpro/nts-dynamo 1.15.33 → 1.15.36

package/src/_services/server/app.server.ts

@@ -47,6 +47,9 @@ import {
 import {
   DyNTS_StaticClient_Settings
 } from '../../_models/interfaces/static-client-settings.interface';
+import {
+  DyNTS_Cors_Settings
+} from '../../_models/interfaces/cors-settings.interface';
 import { DyNTS_SingletonService } from '../base/singleton.service';
 import { DyNTS_GlobalService } from '../core/global.service';
 import { DyNTS_RoutingModule } from '../route/routing-module.service';
@@ -1074,20 +1077,24 @@ export abstract class DyNTS_App extends DyNTS_SingletonService {
    */
   protected async initOpenExpress(): Promise<void> {
     if (this.fnLogs) DyFM_Log.log('\nfn:. initOpenExpress');
-    this.openExpress = Express();    
+    this.openExpress = Express();
     this.openExpress.set('maxHeaderSize', 10 * megabyte); // 1024 * 1024 * 10, // 10MB
     this.openExpress.use(BodyParser.urlencoded(this._portSettings.httpUrlencoded));
     this.openExpress.use(BodyParser.json(this._portSettings.httpJson));
+    // FR-041 — CORS allowlist enforcement. No-op if getCorsSettings() is not overridden.
+    this.mountCors(this.openExpress);
   }
 
   /**
-   * 
+   *
    */
   protected async initSecureExpress(): Promise<void> {
     if (this.fnLogs) DyFM_Log.log('\nfn:. initSecureExpress');
-    this.secureExpress = Express();    
+    this.secureExpress = Express();
     this.secureExpress.use(BodyParser.urlencoded(this._portSettings.httpsUrlencoded));
     this.secureExpress.use(BodyParser.json(this._portSettings.httpsJson));
+    // FR-041 — CORS allowlist enforcement (same as open express).
+    this.mountCors(this.secureExpress);
 
     const options = {
       key: FileSystem.readFileSync(this._cert.keyPath),
@@ -1412,6 +1419,69 @@ export abstract class DyNTS_App extends DyNTS_SingletonService {
     }
   }
 
+  /**
+   * FR-041 — CORS middleware. Echoes a matching `Access-Control-Allow-Origin`
+   * for any request whose Origin header is in `getCorsSettings().allowedOrigins`,
+   * adds the canonical `Access-Control-*` companion headers, and short-circuits
+   * the OPTIONS preflight with a 204.
+   *
+   * No-op when the subclass does NOT override `getCorsSettings()` — preserves
+   * back-compat for apps that have always been same-origin and never needed
+   * CORS (the typical pre-FR-041 case).
+   *
+   * Why hand-rolled instead of the `cors` npm package:
+   *  - ~30 lines, zero new dependency.
+   *  - Full control over Vary/credentials/preflight semantics.
+   *  - Aligns with FDP "no unnecessary deps" philosophy.
+   */
+  protected mountCors(express: Express.Application): void {
+    const settings: DyNTS_Cors_Settings | undefined = this.getCorsSettings?.();
+    if (!settings) {
+      return;
+    }
+
+    const allowCreds: boolean = settings.allowCredentials !== false;
+    const methods: string[] = settings.allowedMethods ?? [
+      'GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS',
+    ];
+    const headers: string[] = settings.allowedHeaders ?? [
+      'Authorization', 'Content-Type', 'X-Admin-Key', 'X-Requested-With',
+    ];
+    const exposed: string[] = settings.exposedHeaders ?? [
+      'Content-Length', 'Content-Type',
+    ];
+    const maxAge: number = settings.maxAgeSeconds ?? 86400;
+
+    const isAllowed: (origin: string) => boolean = (origin: string): boolean => {
+      if (settings.allowedOrigins === '*') return true;
+      if (typeof settings.allowedOrigins === 'function') {
+        return settings.allowedOrigins(origin);
+      }
+      return settings.allowedOrigins.includes(origin);
+    };
+
+    express.use((req: Express.Request, res: Express.Response, next: Express.NextFunction): void => {
+      const origin: string | undefined = req.headers.origin;
+      if (origin && isAllowed(origin)) {
+        // Echo the matching origin (NOT wildcard) because credentials require it.
+        res.setHeader('Access-Control-Allow-Origin', origin);
+        if (allowCreds) {
+          res.setHeader('Access-Control-Allow-Credentials', 'true');
+        }
+        res.setHeader('Access-Control-Allow-Methods', methods.join(', '));
+        res.setHeader('Access-Control-Allow-Headers', headers.join(', '));
+        res.setHeader('Access-Control-Expose-Headers', exposed.join(', '));
+        res.setHeader('Access-Control-Max-Age', String(maxAge));
+        res.setHeader('Vary', 'Origin');
+      }
+      if (req.method === 'OPTIONS') {
+        res.status(204).end();
+        return;
+      }
+      next();
+    });
+  }
+
   /**
    * Ha getStaticClientSettings() visszaad beállításokat, a client static fájlok a '/' alatt
    * lesznek kiszolgálva (API route-ok után). SPA fallback opcionális (fallbackPath).
@@ -1580,6 +1650,15 @@ export abstract class DyNTS_App extends DyNTS_SingletonService {
    */
   getStaticClientSettings?(): DyNTS_StaticClient_Settings | undefined;
 
+  /**
+   * FR-041 — Ha megadva, CORS middleware mount-olódik mindkét Express instance-ra
+   * (open + secure). Az `allowedOrigins` listán szereplő Origin-eket echo-zza vissza,
+   * `Access-Control-Allow-Credentials: true`-val (default) együtt a Bearer JWT
+   * cross-domain auth flow miatt. OPTIONS preflight 204-gyel rövidre záródik.
+   * Ha undefined → no CORS headers, no preflight handling — back-compat.
+   */
+  getCorsSettings?(): DyNTS_Cors_Settings | undefined;
+
   /**
    * MISSING Description (TODO)
    */

package/src/index.ts

@@ -50,6 +50,7 @@ export * from './_models/interfaces/global-service-settings.interface';
 export * from './_models/interfaces/global-settings.interface';
 export * from './_models/interfaces/routing-module-settings.interface';
 export * from './_models/interfaces/static-client-settings.interface';
+export * from './_models/interfaces/cors-settings.interface';
 
 // models/CONTROL MODELS
 export * from './_models/control-models/api-call-params.control-model';