feat: adding CORS configuration

Signed-off-by: Pawel Psztyc <jarrodek@gmail.com>

Author: jarrodek

package-lock.json

@@ -23,6 +23,7 @@
   },
   "dependencies": {
     "@advanced-rest-client/events": "^0.2.29",
+    "@koa/cors": "^3.1.0",
     "@koa/router": "^10.1.1",
     "amf-client-js": "^5.0.0-SEMANTIC-JSONSCHEMA.6",
     "fs-extra": "^10.0.0",
@@ -40,6 +41,7 @@
     "@types/chai": "^4.2.11",
     "@types/fs-extra": "^9.0.13",
     "@types/koa": "^2.13.4",
+    "@types/koa__cors": "^3.0.3",
     "@types/koa__router": "^8.0.9",
     "@types/mocha": "^9.0.0",
     "@types/unzipper": "^0.10.4",

package.json

@@ -1,8 +1,10 @@
 import Koa from 'koa';
 import http from 'http';
 import https from 'https';
+import cors from '@koa/cors';
 import { ApiRoutes } from './ApiRoutes.js';
 
+/** @typedef {import('@koa/cors').Options} CorsOptions */
 /** @typedef {import('../types').RunningServer} RunningServer */
 /** @typedef {import('../types').SupportedServer} SupportedServer */
 /** @typedef {import('../types').ServerConfiguration} ServerConfiguration */
@@ -39,7 +41,12 @@ export class Server {
    * @param {string=} prefix The prefix to use with the API routes. E.g. /api/v1
    */
   setupRoutes(prefix) {
-    const handler = new ApiRoutes(this.opts);
+    const { opts } = this;
+    if (opts.cors && opts.cors.enabled) {
+      const config = opts.cors.cors || this.defaultCorsConfig();
+      this.app.use(cors(config));
+    }
+    const handler = new ApiRoutes(opts);
     const apiRouter = handler.setup(prefix);
     this.app.use(apiRouter.routes());
     this.app.use(apiRouter.allowedMethods());
@@ -137,4 +144,13 @@ export class Server {
       });
     });
   }
+
+  /**
+   * @returns {CorsOptions}
+   */
+  defaultCorsConfig() {
+    return {
+      allowMethods: 'GET,PUT,POST,DELETE',
+    };
+  }
 }

src/Server.js

@@ -0,0 +1,141 @@
+import { assert } from 'chai';
+import getPort from 'get-port';
+import http from 'http';
+import fs from 'fs-extra';
+import Server from '../index.js';
+import { untilResponse, untilParseResult } from './RequestUtils.js';
+
+describe('CORS settings', () => {
+  /** @type Server */
+  let instance;
+  /** @type number */
+  let port;
+  let simpleRamlApi;
+  before(async () => {
+    port = await getPort();
+    simpleRamlApi = await fs.readFile('test/apis/simple.raml', 'utf8');
+  });
+
+  describe('CORS enabled with defaults', () => {
+    before(async () => {
+      port = await getPort();
+      instance = new Server({
+        cors: {
+          enabled: true,
+        }
+      });
+      instance.setupRoutes();
+      await instance.startHttp(port);
+      simpleRamlApi = await fs.readFile('test/apis/simple.raml', 'utf8');
+    });
+  
+    after(async () => {
+      await instance.cleanup();
+      await instance.stopHttp();
+    });
+
+    it('has the CORS headers for OPTIONS request', async () => {
+      const request = http.request({
+        hostname: 'localhost',
+        port,
+        path: '/text',
+        method: 'OPTIONS',
+        headers: {
+          'Content-Type': 'application/raml',
+          'Authorization': 'Basic test',
+          'x-api-vendor': 'RAML 1.0',
+          'origin': 'https://www.api.com',
+          'Accept-Encoding': 'gzip,deflate',
+          'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
+          'Accept': 'application/json,application/ld+json',
+          'Connection': 'close',
+          'Access-Control-Request-Method': 'POST',
+          'Access-Control-Request-Headers': 'x-api-vendor, Content-Type',
+        },
+      });
+      const result = await untilResponse(request);
+      const { statusCode, headers } = result;
+      assert.equal(statusCode, 204, 'has the 204 status code');
+      
+      assert.equal(headers['access-control-allow-origin'], 'https://www.api.com', 'has access-control-allow-origin');
+      assert.equal(headers['access-control-allow-methods'], 'GET,PUT,POST,DELETE', 'has access-control-allow-methods');
+      assert.equal(headers['access-control-allow-headers'], 'x-api-vendor, Content-Type', 'has access-control-allow-headers');
+    });
+
+    it('has the CORS headers for POST request', async () => {
+      const request = http.request({
+        hostname: 'localhost',
+        port,
+        path: '/text',
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/raml',
+          'Authorization': 'Basic test',
+          'x-api-vendor': 'RAML 1.0',
+          'origin': 'https://www.api.com',
+          'Accept-Encoding': 'gzip,deflate',
+          'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
+          'Accept': 'application/json,application/ld+json',
+          'Connection': 'close',
+          'Access-Control-Request-Method': 'POST',
+          'Access-Control-Request-Headers': 'x-api-vendor, Content-Type',
+        },
+      });
+      request.write(simpleRamlApi);
+      const result = await untilResponse(request);
+      const { headers } = result;
+      
+      assert.equal(headers['access-control-allow-origin'], 'https://www.api.com', 'has access-control-allow-origin');
+    });
+  });
+
+  describe('CORS enabled with passed configuration', () => {
+    before(async () => {
+      port = await getPort();
+      instance = new Server({
+        cors: {
+          enabled: true,
+          cors: {
+            origin: 'https://my.domain.org'
+          },
+        }
+      });
+      instance.setupRoutes();
+      await instance.startHttp(port);
+      simpleRamlApi = await fs.readFile('test/apis/simple.raml', 'utf8');
+    });
+  
+    after(async () => {
+      await instance.cleanup();
+      await instance.stopHttp();
+    });
+
+    it('has the CORS headers for OPTIONS request', async () => {
+      const request = http.request({
+        hostname: 'localhost',
+        port,
+        path: '/text',
+        method: 'OPTIONS',
+        headers: {
+          'Content-Type': 'application/raml',
+          'Authorization': 'Basic test',
+          'x-api-vendor': 'RAML 1.0',
+          'origin': 'https://www.api.com',
+          'Accept-Encoding': 'gzip,deflate',
+          'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
+          'Accept': 'application/json,application/ld+json',
+          'Connection': 'close',
+          'Access-Control-Request-Method': 'POST',
+          'Access-Control-Request-Headers': 'x-api-vendor, Content-Type',
+        },
+      });
+      const result = await untilResponse(request);
+      const { statusCode, headers } = result;
+      assert.equal(statusCode, 204, 'has the 204 status code');
+      
+      assert.equal(headers['access-control-allow-origin'], 'https://my.domain.org', 'has access-control-allow-origin');
+      assert.equal(headers['access-control-allow-methods'], 'GET,HEAD,PUT,POST,DELETE,PATCH', 'has access-control-allow-methods');
+      assert.equal(headers['access-control-allow-headers'], 'x-api-vendor, Content-Type', 'has access-control-allow-headers');
+    });
+  });
+});

test/Cors.test.js

@@ -1,5 +1,6 @@
 import http from 'http';
 import https from 'https';
+import { Options as CorsOptions } from '@koa/cors';
 import { AmfParser } from './src/AmfParser';
 
 export interface AmfProcessItem {
@@ -72,6 +73,10 @@ export interface RunningServer {
 
 export interface ServerConfiguration {
   parser?: ParserConfiguration;
+  /**
+   * CORS configuration.
+   */
+  cors?: CorsConfiguration;
 }
 
 export interface ParserConfiguration {
@@ -96,3 +101,19 @@ export interface ApiParsingResult {
    */
   vendor: ParserVendors;
 }
+
+export interface CorsConfiguration {
+  /**
+   * When set it enables CORS headers for the API.
+   * By default it is disabled.
+   */
+  enabled?: boolean;
+  /**
+   * Optional configuration passed to `@koa/cors`.
+   * See more here: https://github.com/koajs/cors
+   * When not set it uses default values.
+   * 
+   * Note, default values apply the request's origin to the `Access-Control-Allow-Origin` header.
+   */
+  cors?: CorsOptions;
+}