added cors headers to auth api routes

Vizzuality · Jan 17, 2025 · 8e7ecb1 · 8e7ecb1
1 parent b8a118b
commit 8e7ecb1
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 25 deletions.
diff --git a/client/src/app/auth/api/session/route.ts b/client/src/app/auth/api/session/route.ts
@@ -1,16 +1,21 @@
 import { NextResponse } from "next/server";
 
 import { getServerSession } from "@/lib/auth/server";
+import { getCorsHeaders } from "@/lib/auth/server";
 import { AuthApiResponse } from "@/lib/auth/types";
 import { AppSession } from "@/lib/auth/types";
 
 export async function GET(): Promise<
   NextResponse<AuthApiResponse<AppSession | null>>
 > {
   const session = await getServerSession();
+  const corsHeaders = await getCorsHeaders("GET");
 
-  return NextResponse.json({
-    body: session || null,
-    status: session ? 200 : 401,
-  });
+  return NextResponse.json(
+    {
+      body: session || null,
+      status: session ? 200 : 401,
+    },
+    { headers: corsHeaders },
+  );
 }
diff --git a/client/src/app/auth/api/signin/route.ts b/client/src/app/auth/api/signin/route.ts
@@ -1,7 +1,11 @@
 import { NextRequest, NextResponse } from "next/server";
 
 import { generateUserJWT } from "@/lib/auth/jwt";
-import { setAuthCookie, setResponseCookie } from "@/lib/auth/server";
+import {
+  setAuthCookie,
+  setResponseCookie,
+  getCorsHeaders,
+} from "@/lib/auth/server";
 import { AuthApiResponse, AppSession } from "@/lib/auth/types";
 import { client } from "@/lib/query-client";
 
@@ -10,17 +14,21 @@ export async function POST(
 ): Promise<NextResponse<AuthApiResponse<AppSession | null>>> {
   try {
     const { email, password } = await req.json();
+    const corsHeaders = await getCorsHeaders("POST");
 
     const response = await client.auth.login.mutation({
       body: { email, password },
     });
 
     if (response.status !== 201) {
-      return NextResponse.json({
-        body: null,
-        status: response.status,
-        error: response.body.errors?.[0]?.title || "Invalid credentials",
-      });
+      return NextResponse.json(
+        {
+          body: null,
+          status: response.status,
+          error: response.body.errors?.[0]?.title || "Invalid credentials",
+        },
+        { headers: corsHeaders },
+      );
     }
 
     setResponseCookie(response.headers);
@@ -29,15 +37,26 @@ export async function POST(
     const token = await generateUserJWT(appSession);
     setAuthCookie(token);
 
-    return NextResponse.json({
-      body: appSession,
-      status: 201,
-    });
+    return NextResponse.json(
+      {
+        body: appSession,
+        status: 201,
+      },
+      { headers: corsHeaders },
+    );
   } catch (err) {
-    return NextResponse.json({
-      body: null,
-      status: 500,
-      error: "An error occurred during sign in",
-    });
+    const corsHeaders = await getCorsHeaders("POST");
+    return NextResponse.json(
+      {
+        body: null,
+        status: 500,
+        error: "An error occurred during sign in",
+      },
+      { headers: corsHeaders },
+    );
   }
 }
+
+export async function OPTIONS(): Promise<NextResponse> {
+  return NextResponse.json({}, { headers: await getCorsHeaders("POST") });
+}
diff --git a/client/src/app/auth/api/signout/route.ts b/client/src/app/auth/api/signout/route.ts
@@ -1,13 +1,18 @@
 import { NextResponse } from "next/server";
 
 import { revokeSession } from "@/lib/auth/server";
+import { getCorsHeaders } from "@/lib/auth/server";
 import { AuthApiResponse } from "@/lib/auth/types";
 
 export async function POST(): Promise<NextResponse<AuthApiResponse<null>>> {
   await revokeSession();
+  const corsHeaders = await getCorsHeaders("POST");
 
-  return NextResponse.json({
-    body: null,
-    status: 200,
-  });
+  return NextResponse.json(
+    {
+      body: null,
+      status: 200,
+    },
+    { headers: corsHeaders },
+  );
 }
diff --git a/client/src/lib/auth/server.ts b/client/src/lib/auth/server.ts
@@ -41,10 +41,15 @@ export async function revokeSession(): Promise<void> {
   cookies().delete(TOKEN_KEY);
 }
 
-export async function getServerAuthUrl(): Promise<string> {
+export async function getServerOrigin(): Promise<string> {
   const host = headers().get("host");
   const protocol = process.env.NODE_ENV === "development" ? "http" : "https";
-  return `${protocol}://${host}/auth/api`;
+  return `${protocol}://${host}`;
+}
+
+export async function getServerAuthUrl(): Promise<string> {
+  const origin = await getServerOrigin();
+  return `${origin}/auth/api`;
 }
 
 /**
@@ -67,3 +72,13 @@ export async function setResponseCookie(headers: Headers): Promise<void> {
     });
   }
 }
+
+export async function getCorsHeaders(methods: string): Promise<HeadersInit> {
+  const origin = await getServerOrigin();
+
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": methods,
+    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+  };
+}