This repository has been archived by the owner. It is now read-only.
Permalink
Cannot retrieve contributors at this time
30 lines (25 sloc)
1.37 KB
| module.exports = function (env) { | |
| var allowedDomains = env.get('ALLOWED_DOMAINS').split(' '); | |
| return { | |
| // Use this CORS middleware for any protected routes that need credentials (cookies) | |
| withAuth: function (req, res, next) { | |
| // Only 1 domain can be served up with Allow-Origin, so we'll use the incoming one if allowed | |
| if (allowedDomains.indexOf(req.headers.origin) > -1) { | |
| res.header('Access-Control-Allow-Origin', req.headers.origin); | |
| res.header('Access-Control-Allow-Methods', 'POST, GET, PUT, DELETE'); | |
| res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-CSRF-Token, Accept-Ranges, Range-Unit, Content-Range, Range'); | |
| res.header('Access-Control-Expose-Headers', 'Content-Type, Accept-Ranges, Range-Unit, Content-Range'); | |
| res.header('Access-Control-Allow-Credentials', true); | |
| } | |
| next(); | |
| }, | |
| // Use this CORS middleware for any read-only routes that need CORS | |
| readOnly: function (req, res, next) { | |
| res.header('Access-Control-Allow-Origin', '*'); | |
| res.header('Access-Control-Allow-Methods', 'GET'); | |
| res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-CSRF-Token, Accept-Ranges, Range-Unit, Content-Range, Range'); | |
| res.header('Access-Control-Expose-Headers', 'Content-Type, Accept-Ranges, Range-Unit, Content-Range'); | |
| next(); | |
| } | |
| }; | |
| }; |