Merge pull request #12 from uniquelyparticular/fix/postrequests

agrohs · web-flow · commit 5c278259ef61 · 2019-05-24T21:58:47.000-05:00
Fix/postrequests
diff --git a/README.md b/README.md
@@ -11,12 +11,11 @@ Built with [Micro](https://github.com/zeit/micro)! 🤩
 Create a `.env` at the project root with the following credentials:
 
 ```dosini
-PROXY_REFERER_WHITELIST=localhost,*.zendesk.com,*.myshopify.com,*.now.sh
+PROXY_ORIGIN_WHITELIST=localhost,*.zendesk.com,*.myshopify.com,*.now.sh
 PROXY_DESTINATION_WHITELIST=api.stripe.com,api.goshippo.com,api.shipengine.com,api.moltin.com,*.myshopify.com,*.salesforce.com,*.demandware.net
 ```
 
-`PROXY_REFERER_WHITELIST` is a comma separated list of patterns to match against the incoming requests 'Referer' header (ex. `localhost,*.myawesomesite.com,*.now.sh`)
-_(and yes, 'REFERER' is intentionally misspelled to match the http header! 😉)_
+`PROXY_ORIGIN_WHITELIST` is a comma separated list of patterns to match against the incoming requests 'Origin' header (ex. `localhost,*.myawesomesite.com,*.now.sh`)
 
 `PROXY_DESTINATION_WHITELIST` is a comma separated list of patterns to match against the URI you are proxying requests to. (ex. `api.somethingsecure.com,*.somotherapi.com`)
 
diff --git a/now.json b/now.json
@@ -4,7 +4,7 @@
   "env": {
     "NODE_ENV": "production",
     "PROXY_PREFIX": "@demo-proxy-prefix",
-    "PROXY_REFERER_WHITELIST": "@demo-proxy-referer-whitelist",
+    "PROXY_ORIGIN_WHITELIST": "@demo-proxy-origin-whitelist",
     "PROXY_DESTINATION_WHITELIST": "@demo-proxy-destination-whitelist",
     "PROXY_REPLACE_GATEWAY_PK": "@particular-gateway-pk",
     "PROXY_REPLACE_GATEWAY_SK": "@particular-gateway-sk"
diff --git a/src/index.js b/src/index.js
@@ -53,15 +53,11 @@ const parseURL = url => {
 }
 
 const isAuthorized = (referer, whitelist = []) => {
+  // console.log('referer', referer)
   // console.log('whitelist', whitelist)
-  const { hostname, protocol } = parseURL(referer)
+  const { hostname } = parseURL(referer)
   // console.log('hostname', hostname)
-  // console.log('protocol', protocol)
-  return (
-    isWhitelisted(hostname, whitelist) &&
-    (protocol === 'https:' ||
-      (protocol === 'http:' && hostname === 'localhost'))
-  )
+  return isWhitelisted(hostname, whitelist)
 }
 
 const toRegexArray = csv => {
@@ -71,7 +67,7 @@ const toRegexArray = csv => {
     .map(value => new RegExp(`^${prepareRegex(value)}$`))
 }
 
-const refererWhiteList = toRegexArray(process.env.PROXY_REFERER_WHITELIST)
+const originWhiteList = toRegexArray(process.env.PROXY_ORIGIN_WHITELIST)
 const destinationWhiteList = toRegexArray(
   process.env.PROXY_DESTINATION_WHITELIST
 )
@@ -88,6 +84,16 @@ const filterValue = input => {
   return mustachReplace(input, envReplacements, proxyReplaceMatchPrefix)
 }
 
+const getOrigin = (origin, referer) => {
+  // console.log('getOrigin, origin', origin)
+  // console.log('getOrigin, referer', referer)
+  const subOrigin = referer.match(/\?origin=([^\?&]+)/)
+  if (subOrigin) {
+    origin = decodeURIComponent(subOrigin[1])
+  }
+  return origin
+}
+
 const requestHeaders = headers => {
   const {
     host,
@@ -104,11 +110,11 @@ const requestHeaders = headers => {
 
   const defaultHeaders = {
     'x-forwarded-by': `${name}-${version}`,
-    'x-forwarded-origin': origin,
+    'x-forwarded-origin': getOrigin(origin, referer),
     'x-forwarded-referer': referer
   }
   const modifiedHeaders = { ...filteredHeaders, ...defaultHeaders }
-  console.log('requestHeaders, modifiedHeaders', modifiedHeaders)
+  // console.log('requestHeaders, modifiedHeaders', modifiedHeaders)
   return modifiedHeaders
 }
 
@@ -207,7 +213,13 @@ const handleProxy = async (req, res) => {
     if (!req.headers.referer) {
       return noReferer(req, res)
     }
-    if (!isAuthorized(req.headers.referer, refererWhiteList)) {
+
+    if (
+      !isAuthorized(
+        getOrigin(req.headers.origin, req.headers.referer),
+        originWhiteList
+      )
+    ) {
       return notAuthorized(req, res)
     }
 
@@ -229,15 +241,23 @@ const handleProxy = async (req, res) => {
     if (req.method !== 'GET') {
       const txt = await text(req)
       // console.log('txt', txt)
-      if (txt) {
-        const body = JSON.parse(txt)
+      if (txt && txt !== '') {
+        let body
+
+        if (req.headers['content-type'] === 'application/json') {
+          body = JSON.parse(txt)
+        } else {
+          body = txt
+        }
+
         // console.log('body', body)
         if (body) {
-          fetchOptions.body = JSON.stringify(body)
+          fetchOptions.body = body
         }
-        // console.log('body fetchOptions', fetchOptions)
+        // console.log('fetchOptions.body', fetchOptions.body)
       }
     }
+    // console.log('fetchOptions', fetchOptions)
     return processRequest(res, req.headers.origin, destinationURL, fetchOptions)
   } catch (error) {
     const jsonError = _toJSON(error)
