Merge pull request #272 from etduroch/AllowCrossSiteOption

Allow configurable cross site access, needed for client side REST access
theVolary · Feb 26, 2014 · 0125cae · 0125cae
2 parents 3a6b2f5 + a380531
commit 0125cae
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 2 deletions.
diff --git a/lib/config.json b/lib/config.json
@@ -24,6 +24,15 @@
       "ignorePaths": {
 
       }
+    },
+    "crossSiteAccess": {
+      "enabled": false,
+      "authorizedOrigins": {
+        "http://a.trusted.server": [
+          "^/_rest/",
+          "^/another/trusting/route"
+        ]
+      }
     }
   },
 

diff --git a/lib/middleware.js b/lib/middleware.js
@@ -61,11 +61,13 @@ exports.getMiddleware = function(options, cb) {
 
   cache.getItemsWait([
     "feather-files",
-    "feather-logger"
+    "feather-logger",
+    "feather-options"
   ], function(err, cacheItems) {
     if (err) cb(err); else {
       var files = cacheItems["feather-files"];
       var logger = cacheItems['feather-logger'];
+      var appOptions = cacheItems['feather-options'];
 
       router.getRouter(options, function(err, _router) {
         if (err) cb(err); else {      
@@ -81,7 +83,25 @@ exports.getMiddleware = function(options, cb) {
           var middleware = [
             Connect.cookieParser(options.connect.session.secret),
             Connect.session(options.connect.session),
-
+
+            // Handle cross site access exceptions
+            function(req, res, next) {
+              var crossSiteAccess = appOptions.safeGet('connect.crossSiteAccess');
+              if (crossSiteAccess.enabled) {
+                var authorizedRoutes = crossSiteAccess.authorizedOrigins[req.headers.origin];
+                _.find(authorizedRoutes, function(routeRegex){
+                  var pattern = new RegExp(routeRegex);
+                  if (req.url.match(pattern)){
+                    res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
+                    return true;
+                  }
+
+                  return false;
+                });
+              }
+              next();
+            },
+
             // bodyParser handling
             function(req, res, next) {