Merge pull request #503 from keystonejs/user-configurable-cors

Make CORS configurable by end users

.changeset/93d02184/changes.json

@@ -0,0 +1,26 @@
+{
+  "releases": [{ "name": "@voussoir/server", "type": "minor" }],
+  "dependents": [
+    { "name": "@voussoir/test-utils", "type": "patch", "dependencies": ["@voussoir/server"] },
+    {
+      "name": "@voussoir/cypress-project-access-control",
+      "type": "patch",
+      "dependencies": ["@voussoir/test-utils", "@voussoir/server"]
+    },
+    {
+      "name": "@voussoir/cypress-project-basic",
+      "type": "patch",
+      "dependencies": ["@voussoir/test-utils", "@voussoir/server"]
+    },
+    {
+      "name": "@voussoir/cypress-project-login",
+      "type": "patch",
+      "dependencies": ["@voussoir/test-utils", "@voussoir/server"]
+    },
+    {
+      "name": "@voussoir/cypress-project-twitter-login",
+      "type": "patch",
+      "dependencies": ["@voussoir/server"]
+    }
+  ]
+}

.changeset/93d02184/changes.md

@@ -0,0 +1 @@
+- Makes CORS user configurable

packages/server/WebServer/graphql.js

@@ -124,7 +124,13 @@ module.exports = function createGraphQLMiddleware(keystone, { apiPath, graphiqlP
       }
     },
   });
-  server.applyMiddleware({ app, path: apiPath });
+  server.applyMiddleware({
+    app,
+    path: apiPath,
+    // Prevent ApolloServer from overriding Keystone's CORS configuration.
+    // https://www.apollographql.com/docs/apollo-server/api/apollo-server.html#ApolloServer-applyMiddleware
+    cors: false,
+  });
   if (graphiqlPath) {
     app.use(graphiqlPath, (req, res) => {
       if (req.user && req.sessionID) {

packages/server/WebServer/index.js

@@ -23,12 +23,9 @@ module.exports = class WebServer {
       this.app.use(require('express-pino-logger')(this.config.pinoOptions));
     }
 
-    this.app.use(
-      cors({
-        origin: true,
-        credentials: true,
-      })
-    );
+    if (this.config.cors) {
+      this.app.use(cors(this.config.cors));
+    }
 
     if (this.config.authStrategy) {
       // Setup the session as the very first thing.

packages/server/WebServer/initConfig.js

@@ -6,6 +6,7 @@ const defaultConfig = {
   port: process.env.PORT || 3000,
   apiPath: '/admin/api',
   graphiqlPath: '/admin/graphiql',
+  cors: { origin: true, credentials: true },
 };
 
 const remapKeys = {