Add configurable CORS policy #198
Conversation
| cors({ | ||
| origin: config.corsOrigin, | ||
| }) |
There was a problem hiding this comment.
Do you think it makes sense to only limit origin in requests for sending transactions?
So that any read-only integrations won't break
There was a problem hiding this comment.
Hmm, didn't think about possible read-only integrations.
@akolotov wdyt?
zp-relayer/configs/relayerConfig.ts
Outdated
| @@ -14,6 +14,8 @@ const relayerAddress = new Web3().eth.accounts.privateKeyToAccount( | |||
| process.env.RELAYER_ADDRESS_PRIVATE_KEY as string | |||
| ).address | |||
|
|
|||
| const corsOrigin = (process.env.RELAYER_CORS_ORIGIN || '').split(' ').filter(url => url.length > 0) | |||
There was a problem hiding this comment.
Can you check if it will parse and support regex patterns correctly?
There was a problem hiding this comment.
Node's dotenv package parses everything as a string. It would be hard to tell if the given string is a regex to cast it to the RegExp object. But, we can make a convention (like JS engine does), that anything enclosed in slashes (e.g. /$STRING$/) will be considered as a regex. Wdyt?
There was a problem hiding this comment.
I don't mind, let's just make sure that simple wildcards like *.zkbob.com will work in one way or another.
There was a problem hiding this comment.
Added support for regexps. Any string enclosed in slashes will be casted to RegExp object and passed to cors middleware.
There was a problem hiding this comment.
Also, added a debug log with origins because there could be tricky cases. E.g. to get the analog of JS regexp /\w+/ you need to write the following string in env: /\\w+/.
When using the constructor function, the normal string escape rules (preceding special characters with \ when included in a string) are necessary.
No description provided.