restify-cors-middleware/src/index.js
2014-05-08 12:16:17 +10:00

76 lines
1.9 KiB
JavaScript

var restify = require('restify');
var util = require('util');
DEFAULT_ALLOW_HEADERS = restify.CORS.ALLOW_HEADERS;
var HTTP_NO_CONTENT = 204;
function matchOrigin(req, origins) {
var origin = req.headers["origin"];
function belongs(o) {
if (origin === o || o === "*") {
origin = o;
return true;
}
return false;
}
if (origin && origins.some(belongs)) {
return origin;
} else {
return false;
}
}
function preflightHandler(options) {
return function(req, res, next) {
if (req.method !== 'OPTIONS') return next();
// 6.2.1 and 6.2.2
if (matchOrigin(req, options.origins) === false) return next();
// 6.2.3
requestedMethod = req.headers['access-control-request-method'];
if (!requestedMethod) return next();
// 6.2.4
requestedHeaders = req.headers['access-control-request-headers'];
requestedHeaders = requestedHeaders ? requestedHeaders.split(', ') : [];
allowedMethods = [requestedMethod, 'OPTIONS'];
allowedHeaders = DEFAULT_ALLOW_HEADERS.concat(['x-requested-with'])
.concat(options.allowHeaders);
// 6.2.7
res.header('Access-Control-Allow-Origin', req.headers['origin']);
res.header('Access-Control-Allow-Credentials', true);
// 6.2.9
res.header('Access-Control-Allow-Methods', allowedMethods.join(', '));
// 6.2.10
res.header('Access-Control-Allow-Headers', allowedHeaders.join(', '));
res.send(HTTP_NO_CONTENT);
};
}
module.exports = function(options) {
if (! util.isArray(options.origins)) options.origins = ['*'];
if (! util.isArray(options.allowHeaders)) options.allowHeaders = [];
if (! util.isArray(options.exposeHeaders)) options.exposeHeaders = [];
return {
actual: restify.CORS({
origins: options.origins,
headers: options.exposeHeaders
}),
preflight: preflightHandler({
origins: options.origins,
allowHeaders: options.allowHeaders
})
};
};