feat(server): Use origins option to configure Lobby API CORS (#955)

* feat: Use server `origins` option to configure Lobby API CORS

* chore(deps): Update `@koa/cors`

* test(server): Add tests for Koa app CORS config

* feat(server): Add `apiOrigins` option to override `origins` for Lobby API

Author: delucis

docs/documentation/api/Server.md

@@ -56,6 +56,9 @@ A config object with the following options:
 
 7. `authenticateCredentials` (_function_): an optional function that tests if a player’s move is made with the correct credentials when using the default socket.io transport implementation.
 
+8. `apiOrigins` (_array_): a list of allowed origins for requests to the Lobby API. Defaults
+   to the value provided as the `origins` option (which also applies to the socket transport).
+
 #### Returns
 
 An object that contains:

package-lock.json

@@ -93,7 +93,7 @@
     "@types/enzyme": "^3.10.5",
     "@types/jest": "^24.0.0",
     "@types/koa-router": "^7.4.0",
-    "@types/koa__cors": "^3.0.1",
+    "@types/koa__cors": "^3.0.3",
     "@types/node": "^14.0.24",
     "@types/react": "^16.9.36",
     "@types/react-dom": "^16.9.8",
@@ -148,7 +148,7 @@
     "typescript": "^3.8.2"
   },
   "dependencies": {
-    "@koa/cors": "^2.2.1",
+    "@koa/cors": "^3.1.0",
     "@types/koa": "^2.11.3",
     "flatted": "^0.2.3",
     "immer": "^8.0.1",

package.json

@@ -14,6 +14,7 @@ import { createRouter, configureApp } from './api';
 import { ProcessGameConfig } from '../core/game';
 import { Auth } from './auth';
 import * as StorageAPI from './db/base';
+import { Origins } from './cors';
 import type { Game, Server } from '../types';
 
 jest.setTimeout(2000000000);
@@ -72,13 +73,19 @@ class AsyncStorage extends StorageAPI.Async {
 describe('.createRouter', () => {
   function addApiToServer({
     app,
+    origins,
     ...args
-  }: { app: Server.App } & Parameters<typeof createRouter>[0]) {
+  }: {
+    app: Server.App;
+    origins?: Parameters<typeof configureApp>[2];
+  } & Parameters<typeof createRouter>[0]) {
     const router = createRouter(args);
-    configureApp(app, router);
+    configureApp(app, router, origins);
   }
 
-  function createApiServer(args: Parameters<typeof createRouter>[0]) {
+  function createApiServer(
+    args: Omit<Parameters<typeof addApiToServer>[0], 'app'>
+  ) {
     const app: Server.App = new Koa();
     addApiToServer({ app, ...args });
     return app;
@@ -1511,4 +1518,70 @@ describe('.createRouter', () => {
       expect(server.use.mock.calls.length).toBeGreaterThan(1);
     });
   });
+
+  describe('cors', () => {
+    const auth = new Auth();
+    const games: Game[] = [];
+    const db = new AsyncStorage();
+
+    describe('no allowed origins', () => {
+      const app = createApiServer({ auth, games, db, origins: false });
+
+      test('does not allow CORS', async () => {
+        const { res } = await request(app.callback())
+          .get('/games')
+          .set('Origin', 'https://www.example.com')
+          .expect('Vary', 'Origin');
+        expect(res.headers).not.toHaveProperty('access-control-allow-origin');
+        expect(res.headers).not.toHaveProperty('Access-Control-Allow-Origin');
+      });
+    });
+
+    describe('single allowed origin', () => {
+      const origin = 'https://www.example.com';
+      const app = createApiServer({ auth, games, db, origins: origin });
+
+      test('disallows non-matching origin', async () => {
+        const { res } = await request(app.callback())
+          .get('/games')
+          .set('Origin', 'https://www.other.com')
+          .expect('Vary', 'Origin');
+        expect(res.headers).not.toHaveProperty('access-control-allow-origin');
+        expect(res.headers).not.toHaveProperty('Access-Control-Allow-Origin');
+      });
+
+      // eslint-disable-next-line jest/expect-expect
+      test('allows matching origin', async () => {
+        await request(app.callback())
+          .get('/games')
+          .set('Origin', origin)
+          .expect('Vary', 'Origin')
+          .expect('Access-Control-Allow-Origin', origin);
+      });
+    });
+
+    describe('multiple allowed origins', () => {
+      const origins = [Origins.LOCALHOST, 'https://www.example.com'];
+      const app = createApiServer({ auth, games, db, origins });
+
+      test('disallows non-matching origin', async () => {
+        const { res } = await request(app.callback())
+          .get('/games')
+          .set('Origin', 'https://www.other.com')
+          .expect('Vary', 'Origin');
+        expect(res.headers).not.toHaveProperty('access-control-allow-origin');
+        expect(res.headers).not.toHaveProperty('Access-Control-Allow-Origin');
+      });
+
+      // eslint-disable-next-line jest/expect-expect
+      test('allows matching origin', async () => {
+        const origin = 'http://localhost:5000';
+        await request(app.callback())
+          .get('/games')
+          .set('Origin', origin)
+          .expect('Vary', 'Origin')
+          .expect('Access-Control-Allow-Origin', origin);
+      });
+    });
+  });
 });

src/server/api.test.ts

@@ -11,6 +11,7 @@ import Router from 'koa-router';
 import koaBody from 'koa-body';
 import { nanoid } from 'nanoid';
 import cors from '@koa/cors';
+import type IOTypes from 'socket.io';
 import { createMatch } from './util';
 import type { Auth } from './auth';
 import type { Server, LobbyAPI, Game, StorageAPI } from '../types';
@@ -446,9 +447,18 @@ export const createRouter = ({
 
 export const configureApp = (
   app: Server.App,
-  router: Router<any, Server.AppCtx>
+  router: Router<any, Server.AppCtx>,
+  origins: IOTypes.ServerOptions['cors']['origin']
 ): void => {
-  app.use(cors());
+  app.use(
+    cors({
+      // Set Access-Control-Allow-Origin header for allowed origins.
+      origin: (ctx) => {
+        const origin = ctx.get('Origin');
+        return isOriginAllowed(origin, origins) ? origin : '';
+      },
+    })
+  );
 
   // If API_SECRET is set, then require that requests set an
   // api-secret header that is set to the same value.
@@ -465,3 +475,30 @@ export const configureApp = (
 
   app.use(router.routes()).use(router.allowedMethods());
 };
+
+/**
+ * Check if a request’s origin header is allowed for CORS.
+ * Adapted from `cors` package: https://github.com/expressjs/cors
+ * @param origin Request origin to test.
+ * @param allowedOrigin Origin(s) that are allowed to connect via CORS.
+ * @returns `true` if the origin matched at least one of the allowed origins.
+ */
+function isOriginAllowed(
+  origin: string,
+  allowedOrigin: IOTypes.ServerOptions['cors']['origin']
+): boolean {
+  if (Array.isArray(allowedOrigin)) {
+    for (const entry of allowedOrigin) {
+      if (isOriginAllowed(origin, entry)) {
+        return true;
+      }
+    }
+    return false;
+  } else if (typeof allowedOrigin === 'string') {
+    return origin === allowedOrigin;
+  } else if (allowedOrigin instanceof RegExp) {
+    return allowedOrigin.test(origin);
+  } else {
+    return !!allowedOrigin;
+  }
+}

src/server/api.ts

@@ -59,6 +59,7 @@ export const getPortFromServer = (
 interface ServerOpts {
   games: Game[];
   origins?: IOTypes.ServerOptions['cors']['origin'];
+  apiOrigins?: IOTypes.ServerOptions['cors']['origin'];
   db?: StorageAPI.Async | StorageAPI.Sync;
   transport?: SocketIO;
   uuid?: () => string;
@@ -74,7 +75,8 @@ interface ServerOpts {
  * @param db - The interface with the database.
  * @param transport - The interface with the clients.
  * @param authenticateCredentials - Function to test player credentials.
- * @param origins - Allowed origins to use this server, i.e. [http://localhost:300]
+ * @param origins - Allowed origins to use this server, e.g. `['http://localhost:3000']`.
+ * @param apiOrigins - Allowed origins to use the Lobby API, defaults to `origins`.
  * @param generateCredentials - Method for API to generate player credentials.
  * @param https - HTTPS configuration options passed through to the TLS module.
  * @param lobbyConfig - Configuration options for the Lobby API server.
@@ -86,6 +88,7 @@ export function Server({
   https,
   uuid,
   origins,
+  apiOrigins = origins,
   generateCredentials = uuid,
   authenticateCredentials,
 }: ServerOpts) {
@@ -133,13 +136,13 @@ export function Server({
       const lobbyConfig = serverRunConfig.lobbyConfig;
       let apiServer: KoaServer | undefined;
       if (!lobbyConfig || !lobbyConfig.apiPort) {
-        configureApp(app, router);
+        configureApp(app, router, apiOrigins);
       } else {
         // Run API in a separate Koa app.
         const api: ServerTypes.App = new Koa();
         api.context.db = db;
         api.context.auth = auth;
-        configureApp(api, router);
+        configureApp(api, router, apiOrigins);
         await new Promise((resolve) => {
           apiServer = api.listen(lobbyConfig.apiPort, resolve);
         });