From 8d05046d5866d24ae1890e0df32617b3cc77512f Mon Sep 17 00:00:00 2001
From: getlarge <ed@getlarge.eu>
Date: Tue, 19 Dec 2023 13:01:42 +0100
Subject: [PATCH] fix: update local CORS settings requirements

---
 apps/auth/src/main.ts                           | 17 +++++++++++------
 apps/orders/src/main.ts                         | 12 ++++++++++--
 apps/payments/src/main.ts                       | 11 +++++++++--
 apps/tickets/src/main.ts                        | 12 ++++++++++--
 .../shared/constants/src/requests.ts            |  4 +++-
 5 files changed, 43 insertions(+), 13 deletions(-)

diff --git a/apps/auth/src/main.ts b/apps/auth/src/main.ts
index 4f8a2c09..ce276737 100644
--- a/apps/auth/src/main.ts
+++ b/apps/auth/src/main.ts
@@ -31,6 +31,7 @@ import { AppModule } from './app/app.module';
 import { EnvironmentVariables } from './app/env';
 import { APP_FOLDER, DEFAULT_PORT } from './app/shared/constants';
 
+// eslint-disable-next-line max-lines-per-function
 async function bootstrap(): Promise<void> {
   const app = await NestFactory.create<NestFastifyApplication>(
     AppModule,
@@ -55,10 +56,6 @@ async function bootstrap(): Promise<void> {
   const logger = app.get(Logger);
   app.useLogger(logger);
   app.setGlobalPrefix(GLOBAL_API_PREFIX);
-  // app.useStaticAssets({
-  //   root: resolve(`dist/${APP_FOLDER}/public`),
-  //   prefix: '/',
-  // });
 
   // Fastify
   await app.register(fastifyHelmet, {
@@ -77,9 +74,17 @@ async function bootstrap(): Promise<void> {
   });
   await app.register(fastifyPassport.initialize());
   await app.register(fastifyPassport.secureSession());
-  if (!proxyServerUrls.length) {
+  if (!proxyServerUrls.length && environment === 'production') {
     await app.register(fastifyCors, {
-      origin: '*',
+      origin: (origin, cb) => {
+        const hostname = new URL(origin).hostname;
+        if (hostname === 'localhost' || hostname === '127.0.0.1') {
+          cb(null, true);
+          return;
+        }
+        cb(new Error('Not allowed'), false);
+      },
+      credentials: true,
       // allowedHeaders: ALLOWED_HEADERS,
       // exposedHeaders: EXPOSED_HEADERS,
       allowedHeaders: '*',
diff --git a/apps/orders/src/main.ts b/apps/orders/src/main.ts
index 484dee0e..1ec73901 100644
--- a/apps/orders/src/main.ts
+++ b/apps/orders/src/main.ts
@@ -75,9 +75,17 @@ async function bootstrap(): Promise<void> {
   });
   await app.register(fastifyPassport.initialize());
   await app.register(fastifyPassport.secureSession());
-  if (!proxyServerUrls.length) {
+  if (!proxyServerUrls.length && environment === 'development') {
     await app.register(fastifyCors, {
-      origin: '*',
+      origin: (origin, cb) => {
+        const hostname = new URL(origin).hostname;
+        if (hostname === 'localhost' || hostname === '127.0.0.1') {
+          cb(null, true);
+          return;
+        }
+        cb(new Error('Not allowed'), false);
+      },
+      credentials: true,
       // allowedHeaders: ALLOWED_HEADERS,
       // exposedHeaders: EXPOSED_HEADERS,
       allowedHeaders: '*',
diff --git a/apps/payments/src/main.ts b/apps/payments/src/main.ts
index ac13bb02..ac37a93d 100644
--- a/apps/payments/src/main.ts
+++ b/apps/payments/src/main.ts
@@ -75,9 +75,16 @@ async function bootstrap(): Promise<void> {
   });
   await app.register(fastifyPassport.initialize());
   await app.register(fastifyPassport.secureSession());
-  if (!proxyServerUrls.length) {
+  if (!proxyServerUrls.length && environment === 'development') {
     await app.register(fastifyCors, {
-      origin: '*',
+      origin: (origin, cb) => {
+        const hostname = new URL(origin).hostname;
+        if (hostname === 'localhost') {
+          cb(null, true);
+          return;
+        }
+        cb(new Error('Not allowed'), false);
+      },
       // allowedHeaders: ALLOWED_HEADERS,
       // exposedHeaders: EXPOSED_HEADERS,
       allowedHeaders: '*',
diff --git a/apps/tickets/src/main.ts b/apps/tickets/src/main.ts
index e4c5b815..77339b1d 100644
--- a/apps/tickets/src/main.ts
+++ b/apps/tickets/src/main.ts
@@ -75,9 +75,17 @@ async function bootstrap(): Promise<void> {
   });
   await app.register(fastifyPassport.initialize());
   await app.register(fastifyPassport.secureSession());
-  if (!proxyServerUrls.length) {
+  if (!proxyServerUrls.length && environment === 'development') {
     await app.register(fastifyCors, {
-      origin: '*',
+      origin: (origin, cb) => {
+        const hostname = new URL(origin).hostname;
+        if (hostname === 'localhost' || hostname === '127.0.0.1') {
+          cb(null, true);
+          return;
+        }
+        cb(new Error('Not allowed'), false);
+      },
+      credentials: true,
       // allowedHeaders: ALLOWED_HEADERS,
       // exposedHeaders: EXPOSED_HEADERS,
       allowedHeaders: '*',
diff --git a/libs/microservices/shared/constants/src/requests.ts b/libs/microservices/shared/constants/src/requests.ts
index 678e7227..bdda6b8f 100644
--- a/libs/microservices/shared/constants/src/requests.ts
+++ b/libs/microservices/shared/constants/src/requests.ts
@@ -24,7 +24,7 @@ export const bearerSecurityScheme: SecuritySchemeObject = {
 };
 
 export const getCookieOptions = (
-  environment: Environment
+  environment: Environment,
 ): CookieSerializeOptions => ({
   secure: !devEnvironments.includes(environment),
   signed: false,
@@ -36,7 +36,9 @@ export const ALLOWED_HEADERS = [
   'X-Version',
   'X-Access-Token',
   'X-Refresh-Token',
+  'Authorization',
   'Set-Cookie',
+  'Cookie',
   'DNT',
   'User-Agent',
   'X-Requested-With',