UniqAI/hexabot
1
0
Fork 0
mirror of https://github.com/hexastack/hexabot synced 2024-12-28 23:02:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: webchannel cors check

Browse Source
This commit is contained in:
Mohamed Marrouchi 2024-12-01 08:22:47 +01:00
parent dbc651a314
commit f59cdf9ad5
1 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
api/src/extensions/channels/web/base-web-channel.ts
View File

@ -298,12 +298,27 @@ export default abstract class BaseWebChannelHandler<
if (req.headers && req.headers.origin) { if (req.headers && req.headers.origin) {
// Get the allowed origins // Get the allowed origins
const origins: string[] = settings.allowed_domains.split(','); const origins: string[] = settings.allowed_domains.split(',');
const foundOrigin = origins.some((origin: string) => { const foundOrigin = origins
origin = origin.trim(); .map((origin) => {
// If we find a whitelisted origin, send the Access-Control-Allow-Origin header try {
// to greenlight the request. return new URL(origin.trim()).origin;
return origin == req.headers.origin || origin == '*'; } catch (error) {
}); this.logger.error(
`Invalid URL in allowed domains: ${origin}`,
error,
);
return null;
}
})
.filter(
(normalizedOrigin): normalizedOrigin is string =>
normalizedOrigin !== null,
)
.some((origin: string) => {
// If we find a whitelisted origin, send the Access-Control-Allow-Origin header
// to greenlight the request.
return origin === req.headers.origin || origin === '*';
});
if (!foundOrigin) { if (!foundOrigin) {
// For HTTP requests, set the Access-Control-Allow-Origin header to '', which the browser will // For HTTP requests, set the Access-Control-Allow-Origin header to '', which the browser will