From d6315183ea98e31678ad79f2dc70bbfd0a0b9ce8 Mon Sep 17 00:00:00 2001
From: m0ar <edvard@hubinette.me>
Date: Wed, 16 Oct 2024 12:32:27 +0200
Subject: [PATCH] Fix CORS headers

---
 src/index.ts | 43 +++++++++----------------------------------
 1 file changed, 9 insertions(+), 34 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index ae2956c..b76367a 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -11,46 +11,21 @@ import {
     type ResolveGenericQueryParams,
 } from "./api/v2/resolvers/generic.js";
 
-const allowlist = [
-    "http://localhost:3000",
-    "http://localhost:3001",
-    "http://localhost:61440",
-    "http://localhost:3002",
-    "http://host.docker.internal:3000",
-    "http://host.docker.internal:3002",
-    "http://127.0.0.1:3000",
-    "https://nodes.desci.com",
-    "https://nodes-dev.desci.com",
-    "https://nodes-demo.desci.com",
-    "d2195goqok3wlx.amplifyapp.com",
-    "d3ge8gcb3rt5iw.amplifyapp.com",
-    "desci.com",
-    "gitpod.io",
-    "loca.lt" /** NOT SECURE */,
-    "vercel.app" /** NOT SECURE */,
-];
-
 export const app: Express = express();
 const port = process.env.PORT || 5460;
 
 app.use(pinoHttp({ logger }));
 app.use(express.json());
 
-app.use(function (req, res, next) {
-    // Handle CORS
-    const origin = req.headers.origin;
-    if (
-        (origin && allowlist.indexOf(origin) !== -1) ||
-        (origin && allowlist.filter((a) => a.indexOf("http") != 0 && origin && origin.endsWith(a)).length)
-    ) {
-        res.setHeader("Access-Control-Allow-Origin", origin);
-        res.setHeader(
-            "Access-Control-Allow-Headers",
-            "X-Requested-With,Content-Type,Authorization,sentry-trace,baggage",
-        );
-        res.setHeader("Access-Control-Allow-Methods", "GET, POST, PATCH, OPTIONS, PUT, DELETE");
-        res.setHeader("Access-Control-Allow-Credentials", "true");
-    }
+/** Wide open, since it:
+ * - only resolves public information
+ * - doesn't implement any type of auth
+ * - should be generally available to the public
+ */
+app.use(function (_req, res, next) {
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Headers", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET");
     next();
 });