Merge pull request #129 from thanhdanh27600/staging

fix more whitelist
thanhdanh27600 · Aug 28, 2023 · a74971f · a74971f
2 parents 3a871ba + 7827d72
commit a74971f
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 28 deletions.
diff --git a/src/api/axios.ts b/src/api/axios.ts
@@ -1,6 +1,6 @@
 import axios from 'axios';
 import { NextApiRequest, NextApiResponse } from 'next';
-import { BASE_URL } from '../types/constants';
+import { BASE_URL, alternateBrandUrl, brandUrl, brandUrlShort } from '../types/constants';
 
 export const API = axios.create({
   baseURL: BASE_URL,
@@ -22,12 +22,16 @@ export function withAuth(token?: string) {
   };
 }
 
-/**
- * @deprecated The method should not be used
- */
+const allowedOrigins = [brandUrl, brandUrlShort, ...[alternateBrandUrl]];
+
 export const allowCors = (handler: any) => async (req: NextApiRequest, res: NextApiResponse) => {
+  const origin = req.headers['origin'];
+  console.log('origin', origin);
+  if (!!origin && allowedOrigins.includes(origin)) {
+    res.setHeader('Access-Control-Allow-Origin', origin);
+  }
   res.setHeader('Access-Control-Allow-Credentials', 'true');
-  res.setHeader('Access-Control-Allow-Origin', '*');
+  // res.setHeader('Access-Control-Allow-Origin', '*');
   res.setHeader('Access-Control-Allow-Methods', 'GET,OPTIONS,PATCH,DELETE,POST,PUT');
   res.setHeader(
     'Access-Control-Allow-Headers',

diff --git a/src/middleware.ts b/src/middleware.ts
@@ -1,29 +1,10 @@
 // middleware.ts
 import { NextRequest, NextResponse } from 'next/server';
-import { alternateBrandUrl, brandUrl, brandUrlShort } from 'types/constants';
 
 // This function can be marked `async` if using `await` inside
 export async function middleware(request: NextRequest) {
-  // the list of all allowed origins
-  const allowedOrigins = [brandUrl, brandUrlShort, ...[alternateBrandUrl]];
   // retrieve the current response
   const res = NextResponse.next();
-  // retrieve the HTTP "Origin" header
-  // from the incoming request
-  const origin = request.headers.get('origin');
-  // if the origin is an allowed one,
-  // add it to the 'Access-Control-Allow-Origin' header
-  console.log('origin', origin);
-  if (!!origin && allowedOrigins.includes(origin)) {
-    res.headers.append('Access-Control-Allow-Origin', origin);
-  }
-  // add the remaining CORS headers to the response
-  res.headers.append('Access-Control-Allow-Credentials', 'true');
-  res.headers.append('Access-Control-Allow-Methods', 'GET,DELETE,PATCH,POST,PUT,OPTIONS');
-  res.headers.append(
-    'Access-Control-Allow-Headers',
-    'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version',
-  );
   return res;
 }
 

diff --git a/src/pages/api/f.ts b/src/pages/api/f.ts
@@ -1,3 +1,4 @@
+import { allowCors } from 'api/axios';
 import { f } from 'controllers';
 // f = forward
-export default f.handler;
+export default allowCors(f.handler);
diff --git a/src/pages/api/forward.ts b/src/pages/api/forward.ts
@@ -1,3 +1,4 @@
+import { allowCors } from 'api/axios';
 import { forward } from 'controllers';
 
-export default forward.handler;
+export default allowCors(forward.handler);
diff --git a/src/pages/api/i.ts b/src/pages/api/i.ts
@@ -1,3 +1,4 @@
+import { allowCors } from 'api/axios';
 import { i } from 'controllers';
-// i = mage
-export default i.handler;
+// i = image
+export default allowCors(i.handler);