ptrxyz
commented
1 year ago Hm, wait, this seems to be client side code. Of course process.env is not available then. So then, the ALLOWED_ORIGIN check is probably not for security anyway?
Can we get a build flag to disable it or maybe load the ALLOWED_ORIGINS list from a json file that I can simply clear before building?
How does this look to you:
src/allowed_origins.json:
[
"https://nmrxiv.org",
"http://nmrxiv.org",
"http://localhost",
"http://localhost:3000",
"http://127.0.0.1:",
"http://127.0.0.1:3000",
"http://test.nmrxiv.org",
"http://193.196.39.168",
"http://193.196.39.168:3000",
"https://nodejsdev.nmrxiv.org"
]events.ts:
// in your events.ts
// replace the ALLOWED_ORIGINS definition with an import
import ALLOWED_ORIGINS from '../allowed_origins.json';
...
const skipOriginCheck = ALLOWED_ORIGINS.length == 0 || ALLOWED_ORIGINS.includes('*');
if (!skipOriginCheck && !ALLOWED_ORIGINS.includes(parseOrigin(origin))) {
throw new Error(`Invalid Origin ${origin}`);
}
...
hamed-musallam
We are planning to use this service i a dynamic environment where we can not foresee the origin URLs upfront. Would it be possible to allow skipping the origin checks altogether, if, for example, an environment variable is set? Obviously the service would then be publicly available, but in our case, we are fine with this or can handle it through origin checks in the network infrastructure.
I suggest something to the extend of replacing https://github.com/NFDI4Chem/nmrium-react-wrapper/blob/1f1530cad7886b9b1d45f2650629dd70f899ef42/src/events/event.ts#L50
with: