🔒️(y-provider) add cors middlewares

Add cors middlewares to y-provider server.
It will control how clients connect to the server
with http requests.

src/frontend/servers/y-provider/__tests__/collaborationResetConnections.test.ts

@@ -24,16 +24,6 @@ describe('Server Tests', () => {
     server.close();
   });
 
-  test('POST /collaboration/api/reset-connections?room=[ROOM_ID] invalid origin', async () => {
-    const response = await request(app as any)
-      .post('/collaboration/api/reset-connections/?room=test-room')
-      .set('Origin', 'http://invalid-origin.com')
-      .send({ document_id: 'test-document' });
-
-    expect(response.status).toBe(403);
-    expect(response.body.error).toBe('CORS policy violation: Invalid Origin');
-  });
-
   test('POST /collaboration/api/reset-connections?room=[ROOM_ID] with incorrect API key should return 403', async () => {
     const response = await request(app as any)
       .post('/collaboration/api/reset-connections/?room=test-room')

src/frontend/servers/y-provider/package.json

@@ -20,6 +20,7 @@
     "@hocuspocus/server": "2.15.0",
     "@sentry/node": "8.45.1",
     "@sentry/profiling-node": "8.45.1",
+    "cors": "2.8.5",
     "express": "4.21.2",
     "express-ws": "5.0.2",
     "y-protocols": "1.0.6",
@@ -27,6 +28,7 @@
   },
   "devDependencies": {
     "@hocuspocus/provider": "2.15.0",
+    "@types/cors": "2.8.17",
     "@types/express": "5.0.0",
     "@types/express-ws": "3.0.5",
     "@types/jest": "29.5.14",

src/frontend/servers/y-provider/src/middlewares.ts

@@ -1,3 +1,4 @@
+import cors from 'cors';
 import { NextFunction, Request, Response } from 'express';
 import * as ws from 'ws';
 
@@ -7,26 +8,20 @@ import {
   Y_PROVIDER_API_KEY,
 } from '@/env';
 
-import { logger } from './utils';
-
 const VALID_API_KEYS = [COLLABORATION_SERVER_SECRET, Y_PROVIDER_API_KEY];
+const allowedOrigins = COLLABORATION_SERVER_ORIGIN.split(',');
+
+export const corsMiddleware = cors({
+  origin: allowedOrigins,
+  methods: ['GET', 'POST'],
+  credentials: true,
+});
 
 export const httpSecurity = (
   req: Request,
   res: Response,
   next: NextFunction,
 ): void => {
-  // Origin check
-  const origin = req.headers['origin'];
-  if (origin && COLLABORATION_SERVER_ORIGIN !== origin) {
-    logger('CORS policy violation: Invalid Origin', origin);
-
-    res
-      .status(403)
-      .json({ error: 'CORS policy violation: Invalid Origin', origin });
-    return;
-  }
-
   // Secret API Key check
   // Note: Changing this header to Bearer token format will break backend compatibility with this microservice.
   const apiKey = req.headers['authorization'];
@@ -45,9 +40,9 @@ export const wsSecurity = (
 ): void => {
   // Origin check
   const origin = req.headers['origin'];
-  if (COLLABORATION_SERVER_ORIGIN !== origin) {
+  if (origin && !allowedOrigins.includes(origin)) {
+    ws.close(4001, 'Origin not allowed');
     console.error('CORS policy violation: Invalid Origin', origin);
-    ws.close();
     return;
   }
 

src/frontend/servers/y-provider/src/servers/appServer.ts

@@ -10,7 +10,7 @@ import {
   collaborationWSHandler,
   convertMarkdownHandler,
 } from '../handlers';
-import { httpSecurity, wsSecurity } from '../middlewares';
+import { corsMiddleware, httpSecurity, wsSecurity } from '../middlewares';
 import { routes } from '../routes';
 import { logger } from '../utils';
 
@@ -24,6 +24,7 @@ import { logger } from '../utils';
 export const initServer = () => {
   const { app } = expressWebsockets(express());
   app.use(express.json());
+  app.use(corsMiddleware);
 
   /**
    * Route to handle WebSocket connections