npm - @hitchy/plugin-odem-rest - Versions diffs - 0.4.8 → 0.5.0 - Mend

@hitchy/plugin-odem-rest 0.4.8 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/LICENSE +1 -1
package/api/services/odem-rest/cors.js +204 -4
package/coverage/tmp/coverage-17048-1649848422081-0.json +1 -0
package/index.js +64 -81
package/package.json +11 -9

package/LICENSE CHANGED Viewed

@@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2018 cepharum GmbH
+Copyright (c) 2022 cepharum GmbH
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/api/services/odem-rest/cors.js CHANGED Viewed

@@ -29,8 +29,30 @@
 "use strict";
 module.exports = function() {
+	const Config = this.config;
 	const Services = this.runtime.services;
+	const CommonlyAcceptedHeaders = [
+		"Accept", "Accept-Language", "Authorization", "Content-Language",
+		"Content-Type", "If-Match", "If-None-Match", "If-Modified-Since",
+		"If-Unmodified-Since", "If-Range", "DNT", "Expect"
+	];
+	const Accepted = {
+		schema: {
+			methods: ["GET"],
+			headers: CommonlyAcceptedHeaders,
+		},
+		model: {
+			methods: [ "GET", "POST", "HEAD" ],
+			headers: CommonlyAcceptedHeaders,
+		},
+		item: {
+			methods: [ "GET", "PUT", "PATCH", "HEAD", "DELETE" ],
+			headers: CommonlyAcceptedHeaders,
+		},
+	};
 	/**
 	 * Handles CORS-related behaviours.
 	 *
@@ -44,8 +66,38 @@ module.exports = function() {
 		 * @returns {HitchyRequestPolicyHandler} generated function suitable for registering as routing policy handler
 		 */
 		static getCommonRequestFilter() {
-			return ( _, res, next ) => {
-				res.setHeader( "Access-Control-Allow-Origin", "*" );
+			return ( req, res, next ) => {
+				const origin = req.headers.origin;
+				if ( origin != null ) {
+					const { model: { origins } = {} } = Config;
+					if ( !origins || ( Array.isArray( origins ) && origins.indexOf( origin ) > -1 ) ) {
+						res.setHeader( "Access-Control-Allow-Origin", origin );
+						res.setHeader( "Access-Control-Max-Age", 600 );
+					}
+				}
+				next();
+			};
+		}
+		/**
+		 * Generates function for use as a routing policy filtering CORS-related
+		 * aspects of requests for all models' schemata.
+		 *
+		 * @returns {HitchyRequestPolicyHandler} generated function suitable for registering as routing policy handler
+		 */
+		static getRequestFilterForSchemata() {
+			return ( req, res, next ) => {
+				if ( !res.headersSent ) {
+					this.handleMethods( null, null, req, res, Accepted.schema.methods );
+					if ( res.hasHeader( "Access-Control-Allow-Origin" ) ) {
+						this.handleHeaders( null, null, req, res, Accepted.schema.headers );
+					}
+				}
 				next();
 			};
 		}
@@ -59,8 +111,75 @@ module.exports = function() {
 		 */
 		static getRequestFilterForModel( model ) { // eslint-disable-line no-unused-vars
 			return ( req, res, next ) => {
-				if ( Services.OdemRestSchema.mayBeExposed( req, model ) ) {
-					res.setHeader( "Access-Control-Allow-Origin", "*" );
+				if ( !res.headersSent ) {
+					if ( Services.OdemRestSchema.mayBeExposed( req, model ) ) {
+						this.handleMethods( model, null, req, res, Accepted.model.methods );
+						if ( res.hasHeader( "Access-Control-Allow-Origin" ) ) {
+							this.handleHeaders( model, null, req, res, Accepted.model.headers );
+						}
+					} else {
+						// revoke any access permission commonly granted before
+						res.removeHeader( "Access-Control-Allow-Origin" );
+						res.removeHeader( "Access-Control-Allow-Methods" );
+						res.removeHeader( "Access-Control-Allow-Headers" );
+					}
+				}
+				next();
+			};
+		}
+		/**
+		 * Generates function for use as a routing policy filtering CORS-related
+		 * aspects of requests in scope of provided model.
+		 *
+		 * @param {class<Model>} model class of particular model
+		 * @returns {HitchyRequestPolicyHandler} generated function suitable for registering as routing policy handler
+		 */
+		static getRequestFilterForModelSchema( model ) { // eslint-disable-line no-unused-vars
+			return ( req, res, next ) => {
+				if ( !res.headersSent ) {
+					if ( Services.OdemRestSchema.mayBeExposed( req, model ) ) {
+						this.handleMethods( model, null, req, res, Accepted.schema.methods );
+						if ( res.hasHeader( "Access-Control-Allow-Origin" ) ) {
+							this.handleHeaders( model, null, req, res, Accepted.schema.headers );
+						}
+					} else {
+						// revoke any access permission commonly granted before
+						res.removeHeader( "Access-Control-Allow-Origin" );
+						res.removeHeader( "Access-Control-Allow-Methods" );
+						res.removeHeader( "Access-Control-Allow-Headers" );
+					}
+				}
+				next();
+			};
+		}
+		/**
+		 * Generates function for use as a routing policy filtering CORS-related
+		 * aspects of requests in scope of provided model.
+		 *
+		 * @param {class<Model>} model class of particular model
+		 * @returns {HitchyRequestPolicyHandler} generated function suitable for registering as routing policy handler
+		 */
+		static getRequestFilterForModelItem( model ) { // eslint-disable-line no-unused-vars
+			return ( req, res, next ) => {
+				if ( !res.headersSent && req.params.uuid !== ".schema" ) {
+					if ( Services.OdemRestSchema.mayBeExposed( req, model ) ) {
+						this.handleMethods( model, req.params.uuid, req, res, Accepted.item.methods );
+						if ( res.hasHeader( "Access-Control-Allow-Origin" ) ) {
+							this.handleHeaders( model, req.params.uuid, req, res, Accepted.item.headers );
+						}
+					} else {
+						// revoke any access permission commonly granted before
+						res.removeHeader( "Access-Control-Allow-Origin" );
+						res.removeHeader( "Access-Control-Allow-Methods" );
+						res.removeHeader( "Access-Control-Allow-Headers" );
+					}
 				}
 				next();
@@ -81,6 +200,87 @@ module.exports = function() {
 				next();
 			};
 		}
+		/**
+		 * Injects response header describing available request methods for URL
+		 * processing selected model and optionally addressed item.
+		 *
+		 * @param {class<Model>} model implementation of model selected by request URL
+		 * @param {string} item UUID of model's item addressed in request URL
+		 * @param {HitchyIncomingMessage} req request descriptor
+		 * @param {HitchyServerResponse} res response manager
+		 * @param {string[]} accepted comma-separated list of methods to accept by default
+		 * @returns {void}
+		 * @protected
+		 */
+		static handleMethods( model, item, req, res, accepted ) {
+			const methods = req.headers["access-control-request-method"] || "";
+			if ( methods.length > 0 && res.hasHeader( "Access-Control-Allow-Origin" ) ) {
+				// CORS preflight request
+				let filtered = methods
+					.trim()
+					.split( /[\s,]+/ )
+					.filter( method => method && accepted.indexOf( method ) > -1 );
+				if ( !filtered.length ) {
+					filtered = accepted;
+				}
+				filtered.sort( ( l, r ) => l.toUpperCase().localeCompare( r.toUpperCase() ) );
+				res.setHeader( "Access-Control-Allow-Methods", filtered.join( "," ) );
+			} else if ( req.headers.origin == null ) {
+				// legacy OPTIONS request for list of supported methods
+				accepted.sort( ( l, r ) => l.toUpperCase().localeCompare( r.toUpperCase() ) );
+				res.setHeader( "Allow", accepted.join( "," ) );
+			}
+		}
+		/**
+		 * Injects response header describing available request headers for URL
+		 * processing selected model and optionally addressed item.
+		 *
+		 * @param {class<Model>} model implementation of model selected by request URL
+		 * @param {string} item UUID of model's item addressed in request URL
+		 * @param {HitchyIncomingMessage} req request descriptor
+		 * @param {HitchyServerResponse} res response manager
+		 * @param {string[]} accepted comma-separated list of accepted headers
+		 * @returns {void}
+		 * @protected
+		 */
+		static handleHeaders( model, item, req, res, accepted ) {
+			const headers = req.headers["access-control-request-headers"] || "";
+			if ( headers.length > 0 ) {
+				// CORS preflight request
+				const _accepted = accepted.map( header => header.toLowerCase() );
+				let filtered = headers
+					.trim()
+					.split( /[\s,]+/ )
+					.filter( method => {
+						const name = ( method || "" ).toLowerCase();
+						if ( name && _accepted.indexOf( name ) > -1 ) {
+							return true;
+						}
+						// TODO add support for configuration listing permitted headers
+						return name.startsWith( "x-" );
+					} );
+				if ( !filtered.length ) {
+					filtered = accepted;
+				}
+				filtered.sort( ( l, r ) => l.toLowerCase().localeCompare( r.toLowerCase() ) );
+				res.setHeader( "Access-Control-Allow-Headers", filtered.join( "," ) );
+			}
+		}
 	}
 	return OdemRestCors;