fix: stricter CORS if Origin header exists (#7349)

Author: n1ru4l

.changeset/sixty-things-occur.md

@@ -0,0 +1,5 @@
+---
+'hive': patch
+---
+
+Stricter CORS assessment for requests sending a Origin header.

integration-tests/tests/api/cors.spec.ts

@@ -0,0 +1,44 @@
+import { ensureEnv } from '../../testkit/env';
+import { getServiceHost } from '../../testkit/utils';
+
+const registryAddress = await getServiceHost('server', 8082);
+
+const endpoint = `http://${registryAddress}`;
+
+test('no origin header -> no CORS checks', async () => {
+  const request = await fetch(`${endpoint}/graphql`);
+  expect(request.headers.get('access-control-allow-origin')).toEqual(null);
+  expect(request.headers.get('access-control-allow-credentials')).toEqual(null);
+  expect(request.status).toEqual(200);
+  expect(await request.text()).toMatchInlineSnapshot(
+    `{"errors":[{"message":"Must provide query string.","extensions":{"code":"BAD_REQUEST"}}]}`,
+  );
+});
+
+test('unmatching origin -> send CORS error', async () => {
+  const request = await fetch(`${endpoint}/graphql`, {
+    headers: {
+      origin: 'https://evil.com',
+    },
+  });
+  expect(request.headers.get('access-control-allow-origin')).toEqual(null);
+  expect(request.headers.get('access-control-allow-credentials')).toEqual(null);
+  expect(request.status).toEqual(403);
+  expect(await request.text()).toMatchInlineSnapshot(`CORS origin not allowed.`);
+});
+
+test('matching origin -> send correct CORS headers', async () => {
+  const request = await fetch(`${endpoint}/graphql`, {
+    headers: {
+      origin: ensureEnv('HIVE_APP_BASE_URL'),
+    },
+  });
+  expect(request.headers.get('access-control-allow-origin')).toEqual(
+    ensureEnv('HIVE_APP_BASE_URL'),
+  );
+  expect(request.headers.get('access-control-allow-credentials')).toEqual('true');
+  expect(request.status).toEqual(200);
+  expect(await request.text()).toMatchInlineSnapshot(
+    `{"errors":[{"message":"Must provide query string.","extensions":{"code":"BAD_REQUEST"}}]}`,
+  );
+});

packages/services/server/src/index.ts

@@ -71,6 +71,12 @@ import { createOtelAuthEndpoint } from './otel-auth-endpoint';
 import { createPublicGraphQLHandler } from './public-graphql-handler';
 import { initSupertokens, oidcIdLookup } from './supertokens';
 
+class CorsError extends Error {
+  constructor() {
+    super('CORS origin not allowed.');
+  }
+}
+
 export async function main() {
   let tracing: TracingInstance | undefined;
 
@@ -146,28 +152,41 @@ export async function main() {
     },
   );
 
-  server.setErrorHandler(supertokensErrorHandler());
+  server.setErrorHandler((err, req, res) => {
+    if (err instanceof CorsError) {
+      return res.status(403).send(err.message);
+    }
+
+    return supertokensErrorHandler()(err, req, res);
+  });
   await server.register(cors, (_: unknown): FastifyCorsOptionsDelegateCallback => {
     return (req, callback) => {
-      if (req.headers.origin?.startsWith(env.hiveServices.webApp.url)) {
-        // We need to treat requests from the web app a bit differently than others.
-        // The web app requires to define the `Access-Control-Allow-Origin` header (not *).
-        callback(null, {
-          origin: env.hiveServices.webApp.url,
-          credentials: true,
-          methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
-          allowedHeaders: [
-            'Content-Type',
-            'graphql-client-version',
-            'graphql-client-name',
-            'x-request-id',
-            ...supertokens.getAllCORSHeaders(),
-          ],
+      // For CLI user we do not have a origin
+      if (req.headers.origin == null) {
+        // this is the easiest way to omit all cors headers for our version of the cors plugin.
+        return callback(null, {
+          origin: [],
         });
-        return;
       }
 
-      callback(null, {});
+      if (req.headers.origin !== env.hiveServices.webApp.url) {
+        return callback(new CorsError());
+      }
+
+      // We need to treat requests from the web app a bit differently than others.
+      // The web app requires to define the `Access-Control-Allow-Origin` header (not *).
+      callback(null, {
+        origin: env.hiveServices.webApp.url,
+        credentials: true,
+        methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+        allowedHeaders: [
+          'Content-Type',
+          'graphql-client-version',
+          'graphql-client-name',
+          'x-request-id',
+          ...supertokens.getAllCORSHeaders(),
+        ],
+      });
     };
   });