billiegoose · Jul 5, 2018 · Jul 8, 2018 · Jul 8, 2018 · Jul 8, 2018 · Aug 26, 2018
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 node_modules
+isomorphic-git-cors-proxy-0.0.0-development.tgz
diff --git a/.releaserc b/.releaserc
@@ -0,0 +1,9 @@
+branches:
+  - '+([0-9])?(.{+([0-9]),x}).x'
+  - 'main'
+  - 'next'
+  - 'next-major'
+  - name: 'beta'
+    prerelease: true
+  - name: 'alpha'
+    prerelease: true
diff --git a/.travis.yml b/.travis.yml
diff --git a/README.md b/README.md
@@ -1,104 +1,139 @@
-# cors-buster
-When you need a file, but the headers ain't good, who you gonna call? CORS Buster!
+# @isomorphic-git/cors-proxy
 
-## What is this?
+This is the software running on https://cors.isomorphic-git.org/ -
+a free service (generously sponsored by [Clever Cloud](https://www.clever-cloud.com/?utm_source=ref&utm_medium=link&utm_campaign=isomorphic-git))
+for users of [isomorphic-git](https://isomorphic-git.org) that enables cloning and pushing repos in the browser.
 
-This is the software running on https://cors-buster-tbgktfqyku.now.sh, a free
-service for AJAX users struggling to work around the fact that many websites
-do not implement CORS headers, even for static content.
+It is derived from https://github.com/wmhilton/cors-buster with added restrictions to reduce the opportunity to abuse the proxy.
+Namely, it blocks requests that don't look like valid git requests.
 
-## What it does
-
-Say you tried to do this AJAX call and got this lovely error:
+## Installation
 
+```sh
+npm install @isomorphic-git/cors-proxy
 ```
-window.fetch('http://nodejs.org/dist/v6.10.2/node-v6.10.2-linux-x64.tar.gz')
 
-Fetch API cannot load http://nodejs.org/dist/v6.10.2/node-v6.10.2-linux-x64.tar.gz. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.org' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
-Uncaught (in promise) TypeError: Failed to fetch
-```
+## CLI usage
 
-You can do this instead, and now there's no error:
+Start proxy on default port 9999:
 
+```sh
+cors-proxy start
 ```
-window.fetch('https://cors-buster-tbgktfqyku.now.sh/nodejs.org/dist/v6.10.2/node-v6.10.2-linux-x64.tar.gz')
+
+Start proxy on a custom port:
+
+```sh
+cors-proxy start -p 9889
 ```
 
-## Is this safe?
-
-CORS is designed to prevent a 3rd party (Eve) from doing evil things to Alice
-using her browser to make HTTP requests to Bob, essentially impersonating Alice.
-Browsers prevent JavaScript from making this kind of Cross-Origin AJAX Request
-by default. But if this server is making the request *on behalf* of your
-JavaScript, there is no way we could be impersonating Alice. Alice is safe.
-Bob was never protected in the first place. Eve has better things to do with
-her time.
-
-## But I need to POST/PUT/etc with data?
-
-That works too! Just make an OPTIONS/POST/PUT/DELETE/etc request and it will be forwarded.
-If you can only make GET requests, you can provide a `method` query parameter and
-the server will make it that kind of request instead.
-
-## Supported headers
-
-If there's a way to whitelist ALL headers, let me know. The one's I've explicitly added
-so far are:
-
-#### Request Headers:
-
-- accept-encoding
-- accept-language
-- accept
-- access-control-allow-origin
-- authorization
-- cache-control
-- connection
-- content-length
-- content-type
-- dnt
-- pragma
-- range
-- referer
-- user-agent
-- x-http-method-override
-- x-requested-with
-
-#### Response Headers:
-
-- accept-ranges
-- age
-- cache-control
-- content-length
-- content-language
-- content-type
-- date
-- etag
-- expires
-- last-modified
-- pragma
-- server
-- transfer-encoding
-- vary
-- x-github-request-id
-
-## That is nice, I want to run my own server
-
-Sure thing, just do:
+Start proxy in daemon mode. It will write the PID of the daemon process to `$PWD/cors-proxy.pid`:
 
+```sh
+cors-proxy start -d
 ```
-git clone https://github.com/wmhilton/cors-buster
-cd cors-buster
-npm install
-PORT=80 npm start
+
+Kill the process with the PID specified in `$PWD/cors-proxy.pid`:
+
+```sh
+cors-proxy stop
 ```
 
-## No, I meant I want to deploy it to zeit.now.sh
+### CLI configuration
+
+Environment variables:
+- `PORT` the port to listen to (if run with `npm start`)
+- `ALLOW_ORIGIN` the value for the 'Access-Control-Allow-Origin' CORS header
+- `INSECURE_HTTP_ORIGINS` comma separated list of origins for which HTTP should be used instead of HTTPS (added to make developing against locally running git servers easier)
+
 
-Even easier, just do:
+## Middleware usage
+
+You can also use the `cors-proxy` as a middleware in your own server.
+
+```js
+const express = require('express')
+const corsProxy = require('@isomorphic-git/cors-proxy/middleware.js')
+
+const app = express()
+const options = {}
+
+app.use(corsProxy(options))
 
 ```
-now wmhilton/cors-buster
+
+### Middleware configuration
+
+*The middleware doesn't use the environment variables.* The options object supports the following properties:
+
+- `origin`: _string_. The value for the 'Access-Control-Allow-Origin' CORS header
+- `insecure_origins`: _string[]_. Array of origins for which HTTP should be used instead of HTTPS (added to make developing against locally running git servers easier)
+- `authorization`: _(req, res, next) => void_. A middleware function you can use to handle custom authorization. Is run after filtering for git-like requests and handling CORS but before the request is proxied.
+
+_Example:_
+```ts
+app.use(
+  corsProxy({
+    authorization: (req: Request, res: Response, next: NextFunction) => {
+      // proxied git HTTP requests already use the Authorization header for git credentials,
+      // so their [Company] credentials are inserted in the X-Authorization header instead.
+      if (getAuthorizedUser(req, 'X-Authorization')) {
+        return next();
+      } else {
+        return res.status(401).send("Unable to authenticate you with [Company]'s git proxy");
+      }
+    },
+  })
+);
+
+// Only requests with a valid JSON Web Token will be proxied
+function getAuthorizedUser(req: Request, header: string = 'Authorization') {
+  const Authorization = req.get(header);
+
+  if (Authorization) {
+    const token = Authorization.replace('Bearer ', '');
+    try {
+      const verifiedToken = verify(token, env.APP_SECRET) as IToken;
+      if (verifiedToken) {
+        return {
+          id: verifiedToken.userId,
+        };
+      }
+    } catch (e) {
+      // noop
+    }
+  }
+}
+```
+
+## Installation on Kubernetes
+
+There is no official chart for this project, helm or otherwise. You can make your own, but keep in mind cors-proxy uses the Micro server, which will return a 403 error for any requests that do not have the user agent header.
+
+_Example:_
+```yaml
+  containers:
+      - name: cors-proxy
+        image: node:lts-alpine
+        env:
+        - name: ALLOW_ORIGIN
+          value: https://mydomain.com
+        command:
+        - npx
+        args:
+        - '@isomorphic-git/cors-proxy'
+        - start
+        ports:
+        - containerPort: 9999
+          hostPort: 9999
+          name: proxy
+          protocol: TCP
+        livenessProbe:
+          tcpSocket:
+            port: proxy
+        readinessProbe:
+          tcpSocket:
+            port: proxy
 ```
 
 ## License

diff --git a/allow-request.js b/allow-request.js
@@ -0,0 +1,34 @@
+function isPreflightInfoRefs (req, u) {
+  return req.method === 'OPTIONS' && u.pathname.endsWith('/info/refs') && (u.query.service === 'git-upload-pack' || u.query.service === 'git-receive-pack')
+}
+
+function isInfoRefs (req, u) {
+  return req.method === 'GET' && u.pathname.endsWith('/info/refs') && (u.query.service === 'git-upload-pack' || u.query.service === 'git-receive-pack')
+}
+
+function isPreflightPull (req, u) {
+  return req.method === 'OPTIONS' && req.headers['access-control-request-headers'].includes('content-type') && u.pathname.endsWith('git-upload-pack')
+}
+
+function isPull (req, u) {
+  return req.method === 'POST' && req.headers['content-type'] === 'application/x-git-upload-pack-request' && u.pathname.endsWith('git-upload-pack')
+}
+
+function isPreflightPush (req, u) {
+  return req.method === 'OPTIONS' && req.headers['access-control-request-headers'].includes('content-type') && u.pathname.endsWith('git-receive-pack')
+}
+
+function isPush (req, u) {
+  return req.method === 'POST' && req.headers['content-type'] === 'application/x-git-receive-pack-request' && u.pathname.endsWith('git-receive-pack')
+}
+
+module.exports = function allow (req, u) {
+  return (
+    isPreflightInfoRefs(req, u) ||
+    isInfoRefs(req, u) ||
+    isPreflightPull(req, u) ||
+    isPull(req, u) ||
+    isPreflightPush(req, u) ||
+    isPush(req, u)
+  )
+}
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -0,0 +1,32 @@
+jobs:
+- job: Linux
+
+  pool:
+    vmImage: 'ubuntu-latest'
+
+  steps:
+  - task: NodeTool@0
+    inputs:
+      versionSpec: '10.x'
+    displayName: 'Install Node.js'
+
+  - script: npm ci
+    displayName: 'Install dependencies'
+
+  - script: npm pack
+    displayName: 'Prepare installable tarball'
+    condition: succeededOrFailed()
+
+  - task: PublishBuildArtifacts@1
+    displayName: 'Save npm-tarball.tgz'
+    condition: and(succeededOrFailed(), ne(variables['system.pullrequest.isfork'], true))
+    inputs:
+      artifactName: 'npm-tarball.tgz'
+      PathtoPublish: '$(System.DefaultWorkingDirectory)/isomorphic-git-cors-proxy-0.0.0-development.tgz'
+
+  - script: npm run semantic-release
+    displayName: 'Publish to npm'
+    condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
+    env:
+      GH_TOKEN: $(GITHUB_TOKEN)
+      NPM_TOKEN: $(Npm.Token)
diff --git a/bin.js b/bin.js
@@ -0,0 +1,57 @@
+#!/usr/bin/env node
+const fs = require('fs')
+const path = require('path')
+const {spawn} = require('child_process')
+const kill = require('tree-kill')
+const minimisted = require('minimisted')
+
+async function main({_: [cmd], p, d}) {
+  switch (cmd) {
+    case 'start': {
+      if (d) require('daemonize-process')()
+      const cmd = require.resolve('micro/bin/micro.js')
+      const args = [
+        cmd,
+        `--listen=tcp://0.0.0.0:${p || 9999}`
+      ]
+      let server = spawn(
+        'node', args,
+        {
+          stdio: 'inherit',
+          windowsHide: true,
+          cwd: __dirname
+        }
+      )
+      fs.writeFileSync(
+        path.join(process.cwd(), 'cors-proxy.pid'),
+        String(process.pid),
+        'utf8'
+      )
+      process.on('exit', server.kill)
+      return
+    }
+    case 'stop': {
+      let pid
+      try {
+        pid = fs.readFileSync(
+          path.join(process.cwd(), 'cors-proxy.pid'),
+          'utf8'
+        );
+      } catch (err) {
+        console.log('No cors-proxy.pid file')
+        return
+      }
+      pid = parseInt(pid)
+      console.log('killing', pid)
+      kill(pid, (err) => {
+        if (err) {
+          console.log(err)
+        } else {
+          fs.unlinkSync(path.join(process.cwd(), 'cors-proxy.pid'))
+        }
+      })
+    }
+  }
+}
+
+minimisted(main)
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		node_modules
		isomorphic-git-cors-proxy-0.0.0-development.tgz