Fix cors request origin

FuelLabs · May 2, 2024 · 3db123b · 3db123b
1 parent ed06468
commit 3db123b
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 11 deletions.
diff --git a/.env b/.env
@@ -5,5 +5,8 @@ POSTGRES_URI="localhost"
 POSTGRES_PORT="5432"
 POSTGRES_DB_NAME="forc_pub"
 
+# Local env
+CORS_HTTP_ORIGIN = "http://localhost:3000"
+
 # Diesel CLI env
 DATABASE_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_URI}/${POSTGRES_DB_NAME}"
diff --git a/app/src/features/toolbar/hooks/useGithubAuth.ts b/app/src/features/toolbar/hooks/useGithubAuth.ts
@@ -51,10 +51,12 @@ export function useGithubAuth(): [
       return;
     }
 
-    HTTP.get(`/user`).then(({ data }) => {
-      setGithubUser(data.user);
-    });
-  }, [githubUser, setGithubUser, sessionId]);
+    HTTP.get(`/user`)
+      .then(({ data }) => {
+        setGithubUser(data.user);
+      })
+      .catch(() => setSessionId(''));
+  }, [githubUser, setGithubUser, setSessionId, sessionId]);
 
   return [githubUser, logout];
 }
diff --git a/src/cors.rs b/src/cors.rs
@@ -1,10 +1,34 @@
+use std::env;
+
+use dotenvy::dotenv;
+use regex::Regex;
 use rocket::fairing::{Fairing, Info, Kind};
-use rocket::http::Header;
+use rocket::http::{Header, HeaderMap};
 use rocket::{Request, Response};
 
 // Build an open cors module so this server can be used accross many locations on the web.
 pub struct Cors;
 
+fn get_allowed_origin(headers: &HeaderMap<'_>) -> Option<String> {
+    dotenv().ok();
+
+    if let Some(req_origin) = headers.get_one("Origin") {
+        // If the environment variable CORS_HTTP_ORIGIN is set, only allow that origin.
+        if let Some(env_origin) = env::var("CORS_HTTP_ORIGIN").ok() {
+            if req_origin == env_origin.as_str() {
+                return Some(env_origin);
+            }
+        }
+
+        // If the request origin matches the allowed regex, allow only the request origin.
+        let re = Regex::new(r"^https://forc(((.pub)|((-pub)(-git-[a-zA-Z0-9-]+-fuel-labs)?\.vercel\.app)))$").unwrap();
+        if re.is_match(req_origin) {
+            return Some(req_origin.to_string());
+        }
+    }
+    None
+}
+
 // Build Cors Fairing.
 #[rocket::async_trait]
 impl Fairing for Cors {
@@ -15,12 +39,11 @@ impl Fairing for Cors {
         }
     }
 
-    // Build an Access-Control-Allow-Origin * policy Response header.
-    async fn on_response<'r>(&self, _request: &'r Request<'_>, response: &mut Response<'r>) {
-        response.set_header(Header::new(
-            "Access-Control-Allow-Origin",
-            "http://localhost:3000",
-        )); // TODO: env var
+    // Build an Access-Control-Allow-Origin policy Response header.
+    async fn on_response<'r>(&self, request: &'r Request<'_>, response: &mut Response<'r>) {
+        if let Some(origin) = get_allowed_origin(request.headers()) {
+            response.set_header(Header::new("Access-Control-Allow-Origin", origin));
+        }
         response.set_header(Header::new(
             "Access-Control-Allow-Methods",
             "POST, PATCH, PUT, DELETE, HEAD, OPTIONS, GET",