feature: echo wildcard CORS origin

Add the ability to specify * as an allowed CORS origin, making the server echo back the origin in Access-Control-Allow-Origin header so that we can use credentials in client requests and security works.
SignalK · Oct 10, 2023 · 68ea9bf · 68ea9bf
1 parent becf29d
commit 68ea9bf
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 14 deletions.
diff --git a/packages/server-admin-ui/src/views/security/Settings.js b/packages/server-admin-ui/src/views/security/Settings.js
@@ -210,13 +210,14 @@ class Settings extends Component {
                     <FormGroup row>
                       <Col md="12">
                         <Label>
-                          Simple CORS requests are allowed from all hosts by
-                          default. You can restrict CORS requests to named hosts
-                          by configuring allowed CORS origins below. The host
-                          where this page is loaded from is automatically
-                          included in the allowed CORS origins so that the Admin
-                          UI continues to work. Changes to the Allowed CORS
-                          origins requires a server restart.
+                          With no configuration all CORS origins are accepted,
+                          but client requests with credentials:include do not
+                          work. Add a single * origin to allow all origins with
+                          credentials. You can also restrict CORS requests to
+                          specific origins. The origin that this UI was loaded
+                          from is automatically added to the allowed origins so
+                          that requests from the UI work. Changes to the Allowed
+                          CORS origins requires a server restart.
                         </Label>
                       </Col>
                     </FormGroup>{' '}
@@ -232,7 +233,8 @@ class Settings extends Component {
                           value={this.state.allowedCorsOrigins}
                         />
                         <FormText color="muted">
-                          Use comma delimited list, example:
+                          Use either * or a comma delimited list of origins,
+                          example:
                           http://host1.name.com:3000,http://host2.name.com:3000
                         </FormText>
                       </Col>

diff --git a/src/cors.ts b/src/cors.ts
@@ -10,19 +10,28 @@ export function setupCors(
   const corsDebug = createDebug('signalk-server:cors')
 
   const corsOptions: CorsOptions = {
-    credentials: true,
+    credentials: true
   }
+
   const corsOrigins = allowedCorsOrigins
     ? allowedCorsOrigins
         .split(',')
         .map((s: string) => s.trim().replace(/\/*$/, ''))
     : []
-  corsDebug(`corsOrigins:${corsOrigins.toString()}`)
-  // set origin only if corsOrigins are set so that
-  // we get the default cors module functionality
-  // for simple requests by default
-  if (corsOrigins.length) {
+
+  // default wildcard cors configuration does not work
+  // with credentials:include client requests, so add
+  // our own wildcard rule that will match all origins
+  // but respond with that origin, not the default *
+  if (allowedCorsOrigins?.startsWith('*')) {
+    corsOptions.origin = (origin: string | undefined, cb) => cb(null, origin)
+    corsDebug('Allowing all origins')
+  } else if (corsOrigins.length > 0) {
+    // set origin only if corsOrigins are set so that
+    // we get the default cors module functionality
+    // for simple requests by default
     corsOptions.origin = corsOrigins
+    corsDebug(`corsOrigins:${corsOrigins.toString()}`)
   }
 
   app.use(cors(corsOptions))