Merge pull request #443 from ELEVATE-Project/story-1155

aks30 · web-flow · commit ba9736070695 · 2024-03-19T11:05:46.000+05:30
[story-1155] - Cross Origin Resource Sharing (CORS) Misconfiguration
diff --git a/src/.env.sample b/src/.env.sample
@@ -164,3 +164,6 @@ EVENT_ORG_LISTENER_URLS='http://interface:3567/mentoring/v1/organization/eventLi
 EVENT_ENABLE_ORG_EVENTS=true
 #Generic Email template for new users
 GENERIC_INVITATION_EMAIL_TEMPLATE_CODE=generic_invite
+
+# Allowed host by CORS
+ALLOWED_HOST = "http://examplDomain.com"
diff --git a/src/app.js b/src/app.js
@@ -65,6 +65,12 @@ app.use(bodyParser.json({ limit: '50MB' }))
 
 app.use(express.static('public'))
 
+// Middleware to set Access-Control-Allow-Origin header
+app.use((req, res, next) => {
+	res.setHeader('Access-Control-Allow-Origin', process.env.ALLOWED_HOST)
+	next()
+})
+
 /* Logs request info if environment is configured to enable log */
 app.all('*', (req, res, next) => {
 	logger.info('***User Service Request Log***', {
diff --git a/src/envVariables.js b/src/envVariables.js
@@ -232,6 +232,11 @@ let enviromentVariables = {
 		optional: true,
 		default: 'generic_invite',
 	},
+	ALLOWED_HOST: {
+		message: 'Required CORS allowed host',
+		optional: true,
+		default: '*',
+	},
 }
 
 let success = true
