[READ-ONLY] a fast, modern browser for the npm registry
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(cli): use allow list of origins + set cors headers on error as well

+17 -7
+17 -7
cli/src/server.ts
··· 10 10 getQuery, 11 11 createError, 12 12 getHeader, 13 + getRequestHeader, 13 14 setResponseHeaders, 14 15 getRouterParam, 15 16 } from 'h3' 17 + 18 + const ALLOWED_ORIGINS = new Set(['https://npmx.dev', 'http://localhost:3000']) 16 19 import type { ConnectorState, PendingOperation, OperationType, ApiResponse } from './types.ts' 17 20 import { 18 21 getNpmUser, ··· 66 69 operations: [], 67 70 } 68 71 69 - const app = createApp({ 70 - onRequest(event) { 71 - // CORS headers for browser connections 72 + function setCorsHeaders(event: Parameters<typeof setResponseHeaders>[0]) { 73 + const origin = getRequestHeader(event, 'origin') 74 + if (origin && ALLOWED_ORIGINS.has(origin)) { 72 75 setResponseHeaders(event, { 73 - 'Access-Control-Allow-Origin': '*', 76 + 'Access-Control-Allow-Origin': origin, 74 77 'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS', 75 78 'Access-Control-Allow-Headers': 'Content-Type, Authorization', 76 79 }) 80 + } 81 + } 82 + 83 + const app = createApp({ 84 + onRequest(event) { 85 + setCorsHeaders(event) 86 + }, 87 + onBeforeResponse(event) { 88 + setCorsHeaders(event) 77 89 }, 78 90 }) 79 91 const router = createRouter() ··· 81 93 // Handle CORS preflight requests 82 94 router.options( 83 95 '/**', 84 - eventHandler(() => { 85 - return null 86 - }), 96 + eventHandler(() => ''), 87 97 ) 88 98 89 99 function validateToken(authHeader: string | null | undefined): boolean {