From 5c5343ae441251f47b7001064010612536ed6ffd Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 5 Oct 2021 16:41:23 -0300 Subject: [PATCH 1/3] Add DocuSign request whitelist to CORS --- src/server/index.js | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/server/index.js b/src/server/index.js index d85b9432f9..4cdb2e7b4b 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -209,9 +209,25 @@ async function onExpressJsSetup(server) { /* Receive the signing result from DocuSign server, and then send result to client */ - server.use('/community-app-assets/iframe-break', (req, res) => { - res.send(``); - }); + server.use( + '/community-app-assets/iframe-break', + (req, res) => { + const allowedOrigins = [ + `https://${config.URL.COMMUNITY_APP}`, + `https://${config.URL.PLATFORM_SITE_URL}`, + ]; + const { origin } = req.headers; + if (allowedOrigins.includes(origin)) { + res.header('Access-Control-Allow-Origin', origin); + } + res.header('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS'); + res.header( + 'Access-Control-Allow-Headers', + 'Origin, X-Requested-With, Content-Type, Accept, Authorization', + ); + res.send(``); + }, + ); /* Serves a mock DocuSign page. Which is, actually, just a simple local * HTML document (/src/shared/services/__mocks__/data/docu-sign-mock.html) From ccf1c9ba132f3ecd40263234e9942d0a698163e6 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 5 Oct 2021 16:42:46 -0300 Subject: [PATCH 2/3] ci: Deploy docusign-cors to Dev env --- .circleci/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index ab8fcc9a87..8929c58dd6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -343,6 +343,7 @@ workflows: branches: only: - develop + - docusign-cors # This is alternate dev env for parallel testing - "build-test": context : org-global From d9bc4390c3f0ff919b9d660a1071682e64f63c77 Mon Sep 17 00:00:00 2001 From: "Luiz R. Rodrigues" Date: Tue, 5 Oct 2021 20:17:42 -0300 Subject: [PATCH 3/3] DocuSign request, remove X-Frame_Options --- src/server/index.js | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/src/server/index.js b/src/server/index.js index 4cdb2e7b4b..09f05c4fd7 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -212,19 +212,7 @@ async function onExpressJsSetup(server) { server.use( '/community-app-assets/iframe-break', (req, res) => { - const allowedOrigins = [ - `https://${config.URL.COMMUNITY_APP}`, - `https://${config.URL.PLATFORM_SITE_URL}`, - ]; - const { origin } = req.headers; - if (allowedOrigins.includes(origin)) { - res.header('Access-Control-Allow-Origin', origin); - } - res.header('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS'); - res.header( - 'Access-Control-Allow-Headers', - 'Origin, X-Requested-With, Content-Type, Accept, Authorization', - ); + res.removeHeader('X-Frame-Options'); res.send(``); }, );