From ae0f1847ae03c96a5bf6f174d2c9eb4847eaa7e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Tue, 20 Mar 2018 12:24:55 -0400
Subject: [PATCH] allow multiple origins for access-control-allow-origin header

add access-control-allow-credentials header to acp
---
 .../en-GB/admin/settings/advanced.json        |  1 +
 src/middleware/headers.js                     | 13 ++++-
 src/views/admin/settings/advanced.tpl         |  4 ++
 test/meta.js                                  | 57 +++++++++++++++++++
 4 files changed, 74 insertions(+), 1 deletion(-)

diff --git a/public/language/en-GB/admin/settings/advanced.json b/public/language/en-GB/admin/settings/advanced.json
index 05a1929cf0..8da7b1c46a 100644
--- a/public/language/en-GB/admin/settings/advanced.json
+++ b/public/language/en-GB/admin/settings/advanced.json
@@ -7,6 +7,7 @@
 	"headers.powered-by": "Customise the \"Powered By\" header sent by NodeBB",
 	"headers.acao": "Access-Control-Allow-Origin",
 	"headers.acao-help": "To deny access to all sites, leave empty",
+	"headers.acac": "Access-Control-Allow-Credentials",
 	"headers.acam": "Access-Control-Allow-Methods",
 	"headers.acah": "Access-Control-Allow-Headers",
 	"traffic-management": "Traffic Management",
diff --git a/src/middleware/headers.js b/src/middleware/headers.js
index 035608eab6..60af68a894 100644
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@@ -14,7 +14,18 @@ module.exports = function (middleware) {
 		};
 
 		if (meta.config['access-control-allow-origin']) {
-			headers['Access-Control-Allow-Origin'] = encodeURI(meta.config['access-control-allow-origin']);
+			var origins = meta.config['access-control-allow-origin'].split(',');
+			origins = origins.map(function (origin) {
+				return origin && origin.trim();
+			});
+
+			if (origins.includes(req.get('origin'))) {
+				headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
+			}
+		}
+
+		if (meta.config['access-control-allow-credentials']) {
+			headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];
 		}
 
 		if (process.env.NODE_ENV === 'development') {
diff --git a/src/views/admin/settings/advanced.tpl b/src/views/admin/settings/advanced.tpl
index 1454389198..b2721ff0bd 100644
--- a/src/views/admin/settings/advanced.tpl
+++ b/src/views/admin/settings/advanced.tpl
@@ -40,6 +40,10 @@
 					[[admin/settings/advanced:headers.acao-help]]
 				</p>
 			</div>
+			<div class="form-group">
+				<label for="access-control-allow-credentials">[[admin/settings/advanced:headers.acac]]</label>
+				<input class="form-control" id="access-control-allow-credentials" type="text" placeholder="" value="" data-field="access-control-allow-credentials" /><br />
+			</div>
 			<div class="form-group">
 				<label for="access-control-allow-methods">[[admin/settings/advanced:headers.acam]]</label>
 				<input class="form-control" id="access-control-allow-methods" type="text" placeholder="" data-field="access-control-allow-methods" /><br />
diff --git a/test/meta.js b/test/meta.js
index 451184d63b..008be48975 100644
--- a/test/meta.js
+++ b/test/meta.js
@@ -2,6 +2,8 @@
 
 var assert = require('assert');
 var async = require('async');
+var request = require('request');
+var nconf = require('nconf');
 
 var db = require('./mocks/databasemock');
 var meta = require('../src/meta');
@@ -300,4 +302,59 @@ describe('meta', function () {
 			process.execArgv = oldArgv;
 		});
 	});
+
+	describe('Access-Control-Allow-Origin', function () {
+		it('Access-Control-Allow-Origin header should be empty', function (done) {
+			var jar = request.jar();
+			request.get(nconf.get('url') + '/api/search?term=bug', {
+				form: {},
+				json: true,
+				jar: jar,
+			}, function (err, response, body) {
+				assert.ifError(err);
+				assert.equal(response.headers['access-control-allow-origin'], undefined);
+				done();
+			});
+		});
+
+		it('should set proper Access-Control-Allow-Origin header', function (done) {
+			var jar = request.jar();
+			var oldValue = meta.config['access-control-allow-origin'];
+			meta.config['access-control-allow-origin'] = 'test.com, mydomain.com';
+			request.get(nconf.get('url') + '/api/search?term=bug', {
+				form: {
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					origin: 'mydomain.com',
+				},
+			}, function (err, response, body) {
+				assert.ifError(err);
+				assert.equal(response.headers['access-control-allow-origin'], 'mydomain.com');
+				meta.config['access-control-allow-origin'] = oldValue;
+				done(err);
+			});
+		});
+
+		it('Access-Control-Allow-Origin header should be empty if origin does not match', function (done) {
+			var jar = request.jar();
+			var oldValue = meta.config['access-control-allow-origin'];
+			meta.config['access-control-allow-origin'] = 'test.com, mydomain.com';
+			request.get(nconf.get('url') + '/api/search?term=bug', {
+				form: {
+				},
+				json: true,
+				jar: jar,
+				headers: {
+					origin: 'notallowed.com',
+				},
+			}, function (err, response, body) {
+				assert.ifError(err);
+				assert.equal(response.headers['access-control-allow-origin'], undefined);
+				meta.config['access-control-allow-origin'] = oldValue;
+				done(err);
+			});
+		});
+	});
 });