fix(CORS): add whitelist for trusted domains

schn4ck · Oct 6, 2017 · eddf094 · eddf094
1 parent a81e439
commit eddf094
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/config.tpl.json b/config.tpl.json
@@ -1,5 +1,8 @@
 {
     "admins": [],
     "date_format": "MMMM DD, YYYY",
-    "port": 3000
-}
+    "port": 3000,
+    "cors": {
+        "whitelist": ["http://localhost:8080"]
+    }
+}
diff --git a/index.js b/index.js
@@ -1,5 +1,6 @@
 const fs = require('fs');
 const express = require('express');
+const cors = require('cors');
 const app = express();
 const bodyParser = require('body-parser');
 const moment = require('moment');
@@ -51,8 +52,16 @@ function error(err, request, reply) {
 function run(err, res) {
     if (err) return console.error(err.message);
 
-    // todo: limit cors to trusted domains
-    app.use(require('cors')());
+    app.use(cors({
+        origin: (origin, callback)  => {
+            if (typeof origin === 'undefined' || config.cors.whitelist.indexOf(origin) !== -1) {
+                callback(null, true);
+            } else {
+                callback(new Error('Not allowed by CORS'));
+            }
+        }
+    }));
+
     app.use(bodyParser.json());
     app.use(bodyParser.urlencoded({ extended: true }));