refactor: allow auth only when creating measurements

jsdelivr · Jan 24, 2024 · 2dfa214 · 2dfa214
1 parent 9ae29ba
commit 2dfa214
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/src/lib/http/middleware/cors.ts b/src/lib/http/middleware/cors.ts
@@ -2,11 +2,18 @@ import type { Context, Next } from 'koa';
 
 export const corsHandler = () => async (ctx: Context, next: Next) => {
 	ctx.set('Access-Control-Allow-Origin', '*');
-	ctx.set('Access-Control-Allow-Headers', '*, Authorization');
+	ctx.set('Access-Control-Allow-Headers', '*');
 	ctx.set('Access-Control-Expose-Headers', '*');
+	ctx.set('Access-Control-Max-Age', '600');
 	ctx.set('Cross-Origin-Resource-Policy', 'cross-origin');
 	ctx.set('Timing-Allow-Origin', '*');
 	ctx.set('Vary', 'Accept-Encoding');
 
 	return next();
 };
+
+export const corsAuthHandler = () => async (ctx: Context, next: Next) => {
+	ctx.set('Access-Control-Allow-Headers', '*, Authorization');
+
+	return next();
+};
diff --git a/src/measurement/route/create-measurement.ts b/src/measurement/route/create-measurement.ts
@@ -3,6 +3,7 @@ import type { Context } from 'koa';
 import type Router from '@koa/router';
 import { getMeasurementRunner } from '../runner.js';
 import { bodyParser } from '../../lib/http/middleware/body-parser.js';
+import { corsAuthHandler } from '../../lib/http/middleware/cors.js';
 import { validate } from '../../lib/http/middleware/validate.js';
 import { schema } from '../schema/global-schema.js';
 
@@ -22,5 +23,7 @@ const handle = async (ctx: Context): Promise<void> => {
 };
 
 export const registerCreateMeasurementRoute = (router: Router): void => {
-	router.post('/measurements', '/measurements', bodyParser(), validate(schema), handle);
+	router
+		.options('/measurements', '/measurements', corsAuthHandler())
+		.post('/measurements', '/measurements', bodyParser(), validate(schema), handle);
 };
diff --git a/test/tests/integration/middleware/cors.test.ts b/test/tests/integration/middleware/cors.test.ts
@@ -26,4 +26,18 @@ describe('cors', () => {
 			expect(response.headers['access-control-allow-origin']).to.equal('*');
 		});
 	});
+
+	describe('Access-Control-Allow-Headers header', () => {
+		it('should include the header with value of *', async () => {
+			const response = await requestAgent.get('/v1/').set('Origin', 'elocast.com').send() as Response;
+
+			expect(response.headers['access-control-allow-headers']).to.equal('*');
+		});
+
+		it('should include the header with value of *, Authorization', async () => {
+			const response = await requestAgent.options('/v1/measurements').send() as Response;
+
+			expect(response.headers['access-control-allow-headers']).to.equal('*, Authorization');
+		});
+	});
 });