Merge pull request #102 from pvdthings/api-security-enhancement

API security enhancement
pvdthings · Dec 15, 2024 · 0ff075f · 0ff075f
2 parents 47ad4cf + a029d7e
commit 0ff075f
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 40 deletions.
diff --git a/apps/api/package-lock.json b/apps/api/package-lock.json
diff --git a/apps/api/package.json b/apps/api/package.json
@@ -21,6 +21,7 @@
     "@supabase/supabase-js": "^2.45.4",
     "airtable": "^0.12.2",
     "body-parser": "^1.20.3",
+    "cors": "^2.8.5",
     "dotenv": "^16.4.5",
     "express": "^4.21.0",
     "swagger-jsdoc": "^6.2.8",

diff --git a/apps/api/server.js b/apps/api/server.js
@@ -10,20 +10,27 @@ const bodyParser = require('body-parser');
 const auth = require('./auth');
 const things = require('./apps/catalog/routes/things');
 const lending = require('./apps/librarian');
+const cors = require('cors');
 const apiKeyMiddleware = require('./middleware/apiKey');
 
+const corsOptions = Object.freeze({
+    allowedHeaders: [
+        'Origin',
+        'x-api-key',
+        'X-Requested-With',
+        'Content-Type',
+        'Accept',
+        'supabase-access-token',
+        'supabase-refresh-token'
+    ],
+    credentials: true,
+    origin: process.env.ACCESS_CONTROL_ALLOW_ORIGIN
+});
+
+app.use(cors(corsOptions));
 app.use(apiKeyMiddleware);
 app.use(bodyParser.json());
 
-app.all('*', (req, res, next) => {
-    res.header("Access-Control-Allow-Origin", "*");
-    res.header("Access-Control-Allow-Headers", "Origin, x-api-key, X-Requested-With, Content-Type, Accept, supabase-access-token, supabase-refresh-token");
-    res.header("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD");
-    res.header("Access-Control-Allow-Credentials", "true");
-    res.header("Access-Control-Allow-Private-Network", "true");
-    next();
-});
-
 app.get('/', (_, res) => {
     res.send('You have reached the Things API');
 });

diff --git a/apps/librarian/lib/modules/loans/details/loan_details_header.dart b/apps/librarian/lib/modules/loans/details/loan_details_header.dart
@@ -29,19 +29,20 @@ class LoanDetailsHeader extends ConsumerWidget {
 
     return PaneHeader(
       child: Row(
-        mainAxisAlignment: MainAxisAlignment.spaceBetween,
         children: [
-          Row(
-            children: loading
-                ? []
-                : [
-                    ThingNumber(number: loan.thing.number),
-                    const SizedBox(width: 16),
-                    Text(
-                      loan.thing.name,
-                      style: const TextStyle(fontSize: 24),
-                    ),
-                  ],
+          if (!loading) ...[
+            ThingNumber(number: loan.thing.number),
+            const SizedBox(width: 16),
+          ],
+          Expanded(
+            child: Container(
+              margin: const EdgeInsets.only(right: 16.0),
+              child: Text(
+                loading ? '' : loan.thing.name,
+                overflow: TextOverflow.ellipsis,
+                style: const TextStyle(fontSize: 24),
+              ),
+            ),
           ),
           Row(
             children: [

diff --git a/apps/web/src/lib/views/BottomNavigationView.svelte b/apps/web/src/lib/views/BottomNavigationView.svelte
@@ -15,7 +15,7 @@
 	$: catalogText = $t('Catalog');
 	$: bookmarksText = $t('Bookmarks');
 	$: learnText = $t('Learn');
-	$: volunteerText = $t('Volunteer');
+	// $: volunteerText = $t('Volunteer');
 </script>
 
 <BottomNavigation>
@@ -38,10 +38,10 @@
 		label={learnText}
 		on:click={() => goto('/info')}
 	/>
-	<BottomNavigationItem
+	<!-- <BottomNavigationItem
 		active={$page.url.pathname === '/volunteer'}
 		iconStyle={$page.url.pathname === '/volunteer' ? 'ph-fill ph-clock text-xl' : 'ph-bold ph-clock text-xl'}
 		label={volunteerText}
 		on:click={() => goto('/volunteer')}
-	/>
+	/> -->
 </BottomNavigation>