Merge pull request #6103 from Countly/ar2rsawseen/master

[SER-136] Add ability to allow multiple CORS for an app

Author: ar2rsawseen

CHANGELOG.md

@@ -1,5 +1,8 @@
 ## Version 25.03.x
 
+Features:
+- Add ability to allow multiple CORS per app for web apps
+
 Dependencies:
 - Bump body-parser from 1.20.3 to 2.2.0
 - Bump moment-timezone from 0.5.47 to 0.5.48

api/utils/common.js

@@ -1609,6 +1609,12 @@ common.returnMessage = function(params, returnCode, message, heads, noResult = f
             headers[i] = heads[i];
         }
     }
+    if (params && params.app && params.app.plugins && params.app.plugins.allow_access_control_origin && params.req.headers && params.req.headers.origin) {
+        var cors_headers = (params.app.plugins.allow_access_control_origin || "").replace(/\r\n|\r|\n/g, "\n").split("\n");
+        if (cors_headers.includes(params.req.headers.origin)) {
+            headers['Access-Control-Allow-Origin'] = params.req.headers.origin;
+        }
+    }
     if (params && params.res && params.res.writeHead && !params.blockResponses) {
         if (!params.res.finished) {
             params.res.writeHead(returnCode, headers);
@@ -1678,6 +1684,13 @@ common.returnOutput = function(params, output, noescape, heads) {
             headers[i] = heads[i];
         }
     }
+
+    if (params && params.app && params.app.plugins && params.app.plugins.allow_access_control_origin && params.req.headers && params.req.headers.origin) {
+        var cors_headers = (params.app.plugins.allow_access_control_origin || "").replace(/\r\n|\r|\n/g, "\n").split("\n");
+        if (cors_headers.includes(params.req.headers.origin)) {
+            headers['Access-Control-Allow-Origin'] = params.req.headers.origin;
+        }
+    }
     if (params && params.res && params.res.writeHead && !params.blockResponses) {
         if (!params.res.finished) {
             params.res.writeHead(200, headers);

plugins/plugins/frontend/public/javascripts/countly.views.js

@@ -1316,6 +1316,12 @@
         });
     }
 
+    if (app.configurationsView) {
+        app.configurationsView.registerLabel("allow_access_control_origin", jQuery.i18n.map["configs.allow_access_control_origin"]);
+    }
+
+    app.addAppManagementInput("allow_access_control_origin", jQuery.i18n.map["configs.access_control_origin"], {"allow_access_control_origin": {input: "el-input", attrs: {type: "textarea", rows: 5}}});
+
     app.route('/account-settings', 'account-settings', function() {
         this.renderWhenReady(getAccountView());
     });

plugins/plugins/frontend/public/localization/plugins.properties

@@ -144,6 +144,8 @@ configs.new-password = New Password
 configs.confirmation = Confirm new password
 configs.password-specification-1 = Use a password at least 15 letters long or at least
 configs.password-specification-2 = 8 characters long with mixed letters and numbers.
+configs.access_control_origin = Access-Control-Origin
+configs.allow_access_control_origin = Allow Access-Control-Origin by listing separate origin (including https://) per line
 
 configs.api.description = Main API settings
 configs.api.batch = Batch processing