npm - @middy/http-cors - Versions diffs - 7.0.3 → 7.1.1 - Mend

@middy/http-cors 7.0.3 → 7.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,5 +1,5 @@
 <div align="center">
-  <h1>Middy CORS middleware</h1>
+  <h1>Middy `http-cors` middleware</h1>
   <img alt="Middy logo" src="https://raw.githubusercontent.com/middyjs/middy/main/docs/img/middy-logo.svg"/>
   <p><strong>CORS middleware for the middy framework, the stylish Node.js middleware engine for AWS Lambda</strong></p>
   <p>

package/index.d.ts CHANGED Viewed

@@ -12,9 +12,10 @@ export interface Options {
 	origins?: string[];
 	exposeHeaders?: string;
 	maxAge?: number | string;
-	requestHeaders?: string;
-	requestMethods?: string;
+	requestHeaders?: string[];
+	requestMethods?: string[];
 	cacheControl?: string;
+	vary?: string;
 }
 declare function httpCors(options?: Options): middy.MiddlewareObj;

package/index.js CHANGED Viewed

@@ -2,6 +2,35 @@
 // SPDX-License-Identifier: MIT
 import { normalizeHttpResponse } from "@middy/util";
+const hostnameToPunycode = (hostname) => {
+	const placeholder = "-_ANY_-";
+	const tempHostname = hostname.replace(/\*/g, placeholder);
+	try {
+		const url = new URL(`https://${tempHostname}`);
+		return url.host.replaceAll(placeholder.toLowerCase(), "*");
+	} catch {
+		return hostname;
+	}
+};
+const originToPunycode = (origin) => {
+	if (!origin || origin === "*") return origin;
+	const match = origin.match(/^(https?:\/\/)(.+)$/);
+	if (!match) return origin;
+	const [, protocol, host] = match;
+	return protocol + hostnameToPunycode(host);
+};
+// CORS-safelisted request headers
+// https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header
+const corsSafelistedRequestHeaders = [
+	"accept",
+	"accept-language",
+	"content-language",
+	"content-type",
+	"range",
+];
 const defaults = {
 	disableBeforePreflightResponse: true,
 	getOrigin: undefined, // default inserted below
@@ -12,6 +41,8 @@ const defaults = {
 	origins: [],
 	exposeHeaders: undefined,
 	maxAge: undefined,
+	requestHeaders: undefined,
+	requestMethods: undefined,
 	cacheControl: undefined,
 	vary: undefined,
 };
@@ -46,15 +77,19 @@ const httpCorsMiddleware = (opts = {}) => {
 		...opts,
 	};
+	options.requestHeaders = options.requestHeaders?.map((v) => v.toLowerCase());
+	options.requestMethods = options.requestMethods?.map((v) => v.toUpperCase());
 	let originAny = false;
 	let originMany = options.origins.length > 1;
 	const originStatic = {};
 	const originDynamic = [];
-	for (const origin of [options.origin, ...options.origins]) {
+	for (let origin of [options.origin, ...options.origins]) {
 		if (!origin) {
 			continue;
 		}
+		origin = originToPunycode(origin);
 		// All
 		if (origin === "*") {
 			originAny = true;
@@ -67,7 +102,6 @@ const httpCorsMiddleware = (opts = {}) => {
 		}
 		originMany = true;
 		// Dynamic
-		// TODO: IDN -> puncycode not handled, add in if requested
 		const regExpStr = origin
 			.replace(/[.+?^${}()|[\]\\]/g, "\\$&")
 			.replaceAll("*", "[^.]*");
@@ -149,6 +183,40 @@ const httpCorsMiddleware = (opts = {}) => {
 		);
 		if (method === "OPTIONS") {
 			normalizeHttpResponse(request);
+			const eventHeaders = request.event.headers ?? {};
+			const requestMethod =
+				eventHeaders["Access-Control-Request-Method"] ??
+				eventHeaders["access-control-request-method"];
+			if (options.requestMethods?.length && requestMethod) {
+				if (!options.requestMethods.includes(requestMethod)) {
+					request.response.statusCode = 204;
+					request.response.headers = {};
+					return request.response;
+				}
+			}
+			const requestHeadersValue =
+				eventHeaders["Access-Control-Request-Headers"] ??
+				eventHeaders["access-control-request-headers"];
+			if (options.requestHeaders?.length && requestHeadersValue) {
+				const requestedHeaders = requestHeadersValue
+					.split(",")
+					.map((h) => h.trim().toLowerCase());
+				const nonSafelistedHeaders = requestedHeaders.filter(
+					(h) => !corsSafelistedRequestHeaders.includes(h),
+				);
+				const hasDisallowedHeader = nonSafelistedHeaders.some(
+					(h) => !options.requestHeaders.includes(h),
+				);
+				if (hasDisallowedHeader) {
+					request.response.statusCode = 204;
+					request.response.headers = {};
+					return request.response;
+				}
+			}
 			const headers = {};
 			modifyHeaders(headers, options, request);
 			request.response.headers = headers;
@@ -178,7 +246,7 @@ const getVersionHttpMethod = {
 	"2.0": (event) => event.requestContext.http.method,
 };
-// header in offical name, lowercase varient handeled
+// header in official name, lowercase variant handled
 const addHeaderPart = (headers, header, value) => {
 	if (!value) return;
 	const headerLower = header.toLowerCase();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@middy/http-cors",
-	"version": "7.0.3",
+	"version": "7.1.1",
 	"description": "CORS (Cross-Origin Resource Sharing) middleware for the middy framework",
 	"type": "module",
 	"engines": {
@@ -65,9 +65,10 @@
 	},
 	"gitHead": "7a6c0fbb8ab71d6a2171e678697de9f237568431",
 	"dependencies": {
-		"@middy/util": "7.0.3"
+		"@middy/util": "7.1.1"
 	},
 	"devDependencies": {
-		"@middy/core": "7.0.3"
+		"@middy/core": "7.1.1",
+		"@types/aws-lambda": "^8.0.0"
 	}
 }