fixup! fix(api): Ensure strictAuthentication is also used in staging

novuhq · Dec 3, 2024 · d45ae6e · d45ae6e
1 parent 9e8eef9
commit d45ae6e
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 56 deletions.
diff --git a/apps/api/src/.env.development b/apps/api/src/.env.development
@@ -81,8 +81,6 @@ API_RATE_LIMIT_MAXIMUM_UNLIMITED_TRIGGER=
 API_RATE_LIMIT_MAXIMUM_UNLIMITED_CONFIGURATION=
 API_RATE_LIMIT_MAXIMUM_UNLIMITED_GLOBAL=
 
-PR_PREVIEW_ROOT_URL=dev-web-novu.netlify.app
-
 HUBSPOT_INVITE_NUDGE_EMAIL_USER_LIST_ID=
 HUBSPOT_PRIVATE_APP_ACCESS_TOKEN=
 

diff --git a/apps/api/src/config/cors.config.spec.ts b/apps/api/src/config/cors.config.spec.ts
@@ -1,6 +1,6 @@
 import { spy } from 'sinon';
 import { expect } from 'chai';
-import { corsOptionsDelegate, isPermittedDeployPreviewOrigin } from './cors.config';
+import { corsOptionsDelegate } from './cors.config';
 
 describe('CORS Configuration', () => {
   describe('Local Environment', () => {
@@ -32,7 +32,6 @@ describe('CORS Configuration', () => {
         process.env.FRONT_BASE_URL = 'https://test.com';
         process.env.LEGACY_STAGING_DASHBOARD_URL = 'https://test-legacy-staging-dashboard.com';
         process.env.WIDGET_BASE_URL = 'https://widget.com';
-        process.env.PR_PREVIEW_ROOT_URL = 'https://pr-preview.com';
       });
 
       afterEach(() => {
@@ -43,14 +42,26 @@ describe('CORS Configuration', () => {
         const callbackSpy = spy();
 
         // @ts-expect-error - corsOptionsDelegate is not typed correctly
-        corsOptionsDelegate({ url: '/v1/test' }, callbackSpy);
+        corsOptionsDelegate(
+          {
+            url: '/v1/test',
+            headers: {
+              origin: 'https://test.novu.com',
+            },
+          },
+          callbackSpy
+        );
 
         expect(callbackSpy.calledOnce).to.be.ok;
         expect(callbackSpy.firstCall.firstArg).to.be.null;
-        expect(callbackSpy.firstCall.lastArg.origin.length).to.equal(3);
+        expect(callbackSpy.firstCall.lastArg.origin.length).to.equal(environment === 'dev' ? 4 : 3);
         expect(callbackSpy.firstCall.lastArg.origin[0]).to.equal(process.env.FRONT_BASE_URL);
         expect(callbackSpy.firstCall.lastArg.origin[1]).to.equal(process.env.LEGACY_STAGING_DASHBOARD_URL);
         expect(callbackSpy.firstCall.lastArg.origin[2]).to.equal(process.env.WIDGET_BASE_URL);
+
+        if (environment === 'dev') {
+          expect(callbackSpy.firstCall.lastArg.origin[3]).to.equal('https://test.novu.com');
+        }
       });
 
       it('widget routes should be wildcarded', () => {
@@ -74,56 +85,6 @@ describe('CORS Configuration', () => {
         expect(callbackSpy.firstCall.firstArg).to.be.null;
         expect(callbackSpy.firstCall.lastArg.origin).to.equal('*');
       });
-
-      if (environment === 'dev') {
-        it('should allow all origins for dev environment from pr preview', () => {
-          const callbackSpy = spy();
-
-          // @ts-expect-error - corsOptionsDelegate is not typed correctly
-          corsOptionsDelegate(
-            {
-              url: '/v1/test',
-              headers: {
-                origin: `https://test--${process.env.PR_PREVIEW_ROOT_URL}`,
-              },
-            },
-            callbackSpy
-          );
-
-          expect(callbackSpy.calledOnce).to.be.ok;
-          expect(callbackSpy.firstCall.firstArg).to.be.null;
-          expect(callbackSpy.firstCall.lastArg.origin).to.equal('*');
-        });
-      }
-    });
-  });
-
-  describe('isPermittedDeployPreviewOrigin', () => {
-    afterEach(() => {
-      process.env.NODE_ENV = 'test';
-    });
-
-    it('should return false when NODE_ENV is not dev', () => {
-      process.env.NODE_ENV = 'production';
-      expect(isPermittedDeployPreviewOrigin('https://someorigin.com')).to.be.false;
-    });
-
-    it('should return false when PR_PREVIEW_ROOT_URL is not set', () => {
-      process.env.NODE_ENV = 'dev';
-      delete process.env.PR_PREVIEW_ROOT_URL;
-      expect(isPermittedDeployPreviewOrigin('https://someorigin.com')).to.be.false;
-    });
-
-    it('should return false for origins not matching PR_PREVIEW_ROOT_URL (string)', () => {
-      process.env.NODE_ENV = 'dev';
-      process.env.PR_PREVIEW_ROOT_URL = 'https://pr-preview.com';
-      expect(isPermittedDeployPreviewOrigin('https://anotherorigin.com')).to.be.false;
-    });
-
-    it('should return true for origin matching PR_PREVIEW_ROOT_URL', () => {
-      process.env.NODE_ENV = 'dev';
-      process.env.PR_PREVIEW_ROOT_URL = 'https://pr-preview.com';
-      expect(isPermittedDeployPreviewOrigin('https://netlify-https://pr-preview.com')).to.be.true;
     });
   });
 });
diff --git a/apps/web/env-config.js b/apps/web/env-config.js