api3dao · vponline · Aug 4, 2022 · Aug 1, 2022 · Aug 1, 2022 · Aug 1, 2022
diff --git a/.changeset/modern-donkeys-play.md b/.changeset/modern-donkeys-play.md
@@ -0,0 +1,7 @@
+---
+'@api3/airnode-deployer': minor
+'@api3/airnode-examples': minor
+'@api3/airnode-validator': minor
+---
+
+Add corsOrigins field to config.json, handle CORS checks in deployer handlers, add OPTIONS http method to terraform templates
diff --git a/packages/airnode-deployer/config/config.example.json b/packages/airnode-deployer/config/config.example.json
@@ -43,12 +43,14 @@
     "httpGateway": {
       "enabled": true,
       "apiKey": "${HTTP_GATEWAY_API_KEY}",
-      "maxConcurrency": 20
+      "maxConcurrency": 20,
+      "corsOrigins": []
     },
     "httpSignedDataGateway": {
       "enabled": true,
       "apiKey": "${HTTP_SIGNED_DATA_GATEWAY_API_KEY}",
-      "maxConcurrency": 20
+      "maxConcurrency": 20,
+      "corsOrigins": []
     },
     "logFormat": "plain",
     "logLevel": "INFO",

diff --git a/packages/airnode-deployer/src/handlers/aws/index.ts b/packages/airnode-deployer/src/handlers/aws/index.ts
@@ -10,7 +10,7 @@ import {
   CallApiPayload,
   loadTrustedConfig,
 } from '@api3/airnode-node';
-import { verifyHttpSignedDataRequest, verifyHttpRequest } from '../common';
+import { verifyHttpSignedDataRequest, verifyHttpRequest, verifyRequestOrigin } from '../common';
 
 const configFile = path.resolve(`${__dirname}/../../config-data/config.json`);
 const parsedConfig = loadTrustedConfig(configFile, process.env);
@@ -114,6 +114,21 @@ export async function processHttpRequest(
     format: parsedConfig.nodeSettings.logFormat,
     level: parsedConfig.nodeSettings.logLevel,
   });
+
+  // Check if the request origin header is allowed in the config
+  const originVerification = verifyRequestOrigin(
+    parsedConfig.nodeSettings.httpGateway.enabled ? parsedConfig.nodeSettings.httpGateway.corsOrigins : [],
+    event.headers.origin
+  );
+  if (!originVerification.success) {
+    return { statusCode: 400, body: JSON.stringify(originVerification.error) };
+  }
+
+  // Respond to preflight requests if the origin is allowed
+  if (event.httpMethod === 'OPTIONS') {
+    return { statusCode: 204, headers: originVerification.headers, body: '' };
+  }
+
   // The shape of the body is guaranteed by the openAPI spec
   const rawParameters = (JSON.parse(event.body!) as ProcessHttpRequestBody).parameters;
   // The "endpointId" path parameter existence is guaranteed by the openAPI spec
@@ -130,11 +145,11 @@ export async function processHttpRequest(
   const [err, result] = await handlers.processHttpRequest(parsedConfig, endpointId, parameters);
   if (err) {
     // Returning 500 because failure here means something went wrong internally with a valid request
-    return { statusCode: 500, body: JSON.stringify({ message: err.toString() }) };
+    return { statusCode: 500, headers: originVerification.headers, body: JSON.stringify({ message: err.toString() }) };
   }
 
   // We do not want the user to see {"success": true, "data": <actual_data>}, but the actual data itself
-  return { statusCode: 200, body: JSON.stringify(result!.data) };
+  return { statusCode: 200, headers: originVerification.headers, body: JSON.stringify(result!.data) };
 }
 
 interface ProcessHttpSignedDataRequestBody {
@@ -150,6 +165,21 @@ export async function processHttpSignedDataRequest(
     format: parsedConfig.nodeSettings.logFormat,
     level: parsedConfig.nodeSettings.logLevel,
   });
+
+  // Check if the request origin header is allowed in the config
+  const originVerification = verifyRequestOrigin(
+    parsedConfig.nodeSettings.httpGateway.enabled ? parsedConfig.nodeSettings.httpGateway.corsOrigins : [],
+    event.headers.origin
+  );
+  if (!originVerification.success) {
+    return { statusCode: 400, body: JSON.stringify(originVerification.error) };
+  }
+
+  // Respond to preflight requests if the origin is allowed
+  if (event.httpMethod === 'OPTIONS') {
+    return { statusCode: 204, headers: originVerification.headers, body: '' };
+  }
+
   // The shape of the body is guaranteed by the openAPI spec
   const rawEncodedParameters = (JSON.parse(event.body!) as ProcessHttpSignedDataRequestBody).encodedParameters;
   // The "endpointId" path parameter existence is guaranteed by the openAPI spec
@@ -158,17 +188,17 @@ export async function processHttpSignedDataRequest(
   const verificationResult = verifyHttpSignedDataRequest(parsedConfig, rawEncodedParameters, rawEndpointId);
   if (!verificationResult.success) {
     const { statusCode, error } = verificationResult;
-    return { statusCode, body: JSON.stringify(error) };
+    return { statusCode, headers: originVerification.headers, body: JSON.stringify(error) };
   }
   const { encodedParameters, endpointId } = verificationResult;
 
   addMetadata({ 'Endpoint-ID': endpointId });
   const [err, result] = await handlers.processHttpSignedDataRequest(parsedConfig, endpointId, encodedParameters);
   if (err) {
     // Returning 500 because failure here means something went wrong internally with a valid request
-    return { statusCode: 500, body: JSON.stringify({ message: err.toString() }) };
+    return { statusCode: 500, headers: originVerification.headers, body: JSON.stringify({ message: err.toString() }) };
   }
 
   // We do not want the user to see {"success": true, "data": <actual_data>}, but the actual data itself
-  return { statusCode: 200, body: JSON.stringify(result!.data) };
+  return { statusCode: 200, headers: originVerification.headers, body: JSON.stringify(result!.data) };
 }
diff --git a/packages/airnode-deployer/src/handlers/common.test.ts b/packages/airnode-deployer/src/handlers/common.test.ts
@@ -1,7 +1,13 @@
 import { readFileSync } from 'fs';
 import { join } from 'path';
 import { Config } from '@api3/airnode-node';
-import { verifyHttpRequest, verifyHttpSignedDataRequest } from './common';
+import {
+  verifyHttpRequest,
+  verifyHttpSignedDataRequest,
+  checkRequestOrigin,
+  verifyRequestOrigin,
+  buildCorsHeaders,
+} from './common';
 
 const loadConfigFixture = (): Config =>
   // We type the result as "Config", however it will not pass validation in it's current state because the secrets are
@@ -102,3 +108,58 @@ describe('verifyHttpSignedDataRequest', () => {
     });
   });
 });
+
+describe('cors', () => {
+  const origin = 'https://origin.com';
+  const notAllowedOrigin = 'https://notallowed.com';
+  const allAllowedOrigin = '*';
+
+  describe('buildCorsHeaders', () => {
+    it('returns headers with input origin', () => {
+      const headers = buildCorsHeaders(origin);
+      expect(headers).toEqual({
+        'Access-Control-Allow-Origin': origin,
+        'Access-Control-Allow-Methods': 'OPTIONS,POST',
+        'Access-Control-Allow-Headers': 'Content-Type,x-api-key',
+      });
+    });
+  });
+
+  describe('checkRequestOrigin', () => {
+    it('returns allowed origin', () => {
+      const allowedOrigin = checkRequestOrigin([origin], origin);
+      expect(allowedOrigin).toEqual(origin);
+    });
+
+    it('returns allow all origins', () => {
+      const allowedOrigin = checkRequestOrigin([allAllowedOrigin], origin);
+      expect(allowedOrigin).toEqual(allAllowedOrigin);
+    });
+
+    it('returns undefined if no allowed origin match', () => {
+      const allowedOrigin = checkRequestOrigin([origin], notAllowedOrigin);
+      expect(allowedOrigin).toBeUndefined();
+    });
+
+    it('returns undefined if empty allowedOrigins', () => {
+      const allowedOrigin = checkRequestOrigin([], notAllowedOrigin);
+      expect(allowedOrigin).toBeUndefined();
+    });
+  });
+
+  describe('verifyRequestOrigin', () => {
+    it('handles disabling cors', () => {
+      const originVerification = verifyRequestOrigin([], notAllowedOrigin);
+      expect(originVerification).toEqual({ success: false, error: { message: 'CORS origin verification failed.' } });
+    });
+    it('handles allow all origins', () => {
+      const originVerification = verifyRequestOrigin([allAllowedOrigin], notAllowedOrigin);
+      expect(originVerification).toEqual({ success: true, headers: buildCorsHeaders(allAllowedOrigin) });
+    });
+
+    it('handles allowed origin', () => {
+      const originVerification = verifyRequestOrigin([origin], origin);
+      expect(originVerification).toEqual({ success: true, headers: buildCorsHeaders(origin) });
+    });
+  });
+});
diff --git a/packages/airnode-deployer/src/handlers/common.ts b/packages/airnode-deployer/src/handlers/common.ts
@@ -95,3 +95,22 @@ export function verifyHttpSignedDataRequest(
 
   return { success: true, encodedParameters, endpointId: validEndpointId };
 }
+
+export const checkRequestOrigin = (allowedOrigins: string[], origin?: string) =>
+  allowedOrigins.find((allowedOrigin) => allowedOrigin === '*') ||
+  (origin && allowedOrigins.find((allowedOrigin) => allowedOrigin === origin));
+
+export const buildCorsHeaders = (origin: string) => ({
+  'Access-Control-Allow-Origin': origin,
+  'Access-Control-Allow-Methods': 'OPTIONS,POST',
+  'Access-Control-Allow-Headers': 'Content-Type,x-api-key',
+});
+
+export const verifyRequestOrigin = (allowedOrigins: string[], origin?: string) => {
+  const allowedOrigin = checkRequestOrigin(allowedOrigins, origin);
+
+  // Return CORS headers to be used by the response if the origin is allowed
+  if (allowedOrigin) return { success: true, headers: buildCorsHeaders(allowedOrigin) };
+
+  return { success: false, error: { message: 'CORS origin verification failed.' } };
+};
diff --git a/packages/airnode-deployer/src/handlers/gcp/index.ts b/packages/airnode-deployer/src/handlers/gcp/index.ts
@@ -13,7 +13,7 @@ import {
 import { logger, DEFAULT_RETRY_DELAY_MS, randomHexString, setLogOptions, addMetadata } from '@api3/airnode-utilities';
 import { go } from '@api3/promise-utils';
 import { z } from 'zod';
-import { verifyHttpSignedDataRequest, verifyHttpRequest, VerificationResult } from '../common';
+import { verifyHttpSignedDataRequest, verifyHttpRequest, VerificationResult, verifyRequestOrigin } from '../common';
 
 const configFile = path.resolve(`${__dirname}/../../config-data/config.json`);
 const parsedConfig = loadTrustedConfig(configFile, process.env);
@@ -133,6 +133,26 @@ export async function processHttpRequest(req: Request, res: Response) {
     format: parsedConfig.nodeSettings.logFormat,
     level: parsedConfig.nodeSettings.logLevel,
   });
+
+  // Check if the request origin header is allowed in the config
+  const originVerification = verifyRequestOrigin(
+    parsedConfig.nodeSettings.httpGateway.enabled ? parsedConfig.nodeSettings.httpGateway.corsOrigins : [],
+    req.headers.origin
+  );
+  if (!originVerification.success) {
+    res.status(400).send(originVerification.error);
+    return;
+  }
+
+  // Set headers for the responses
+  res.set(originVerification.headers);
+
+  // Respond to preflight requests if the origin is allowed
+  if (req.method === 'OPTIONS') {
+    res.status(204).send('');
+    return;
+  }
+
   const apiKeyVerification = verifyGcpApiKey(req, 'HTTP_GATEWAY_API_KEY');
   if (!apiKeyVerification.success) {
     const { statusCode, error } = apiKeyVerification;
@@ -184,6 +204,26 @@ export async function processHttpSignedDataRequest(req: Request, res: Response)
     format: parsedConfig.nodeSettings.logFormat,
     level: parsedConfig.nodeSettings.logLevel,
   });
+
+  // Check if the request origin header is allowed in the config
+  const originVerification = verifyRequestOrigin(
+    parsedConfig.nodeSettings.httpGateway.enabled ? parsedConfig.nodeSettings.httpGateway.corsOrigins : [],
+    req.headers.origin
+  );
+  if (!originVerification.success) {
+    res.status(400).send(originVerification.error);
+    return;
+  }
+
+  // Set headers for the responses
+  res.set(originVerification.headers);
+
+  // Respond to preflight requests if the origin is allowed
+  if (req.method === 'OPTIONS') {
+    res.status(204).send('');
+    return;
+  }
+
   const apiKeyVerification = verifyGcpApiKey(req, 'HTTP_SIGNED_DATA_GATEWAY_API_KEY');
   if (!apiKeyVerification.success) {
     const { statusCode, error } = apiKeyVerification;

diff --git a/packages/airnode-deployer/terraform/airnode/aws/templates/httpGw.yaml.tpl b/packages/airnode-deployer/terraform/airnode/aws/templates/httpGw.yaml.tpl
@@ -59,9 +59,6 @@ components:
       name: x-api-key
       in: header
 
-security:
-  - apiKey: []
-
 paths:
   /{endpointId}:
     post:
@@ -78,6 +75,16 @@ paths:
       responses:
         "200":
           description: Request called
+          headers:
+            Access-Control-Allow-Headers:
+              schema:
+                type: string
+            Access-Control-Allow-Methods:
+              schema:
+                type: string
+            Access-Control-Allow-Origin:
+              schema:
+                type: string
           content:
             application/json:
               schema:
@@ -96,3 +103,33 @@ paths:
         responses:
           default:
             statusCode: 200
+    options:
+      parameters:
+        - $ref: "#/components/parameters/endpointId"
+      responses:
+        "204":
+          description: CORS preflight response
+          headers:
+            Access-Control-Allow-Headers:
+              schema:
+                type: string
+            Access-Control-Allow-Methods:
+              schema:
+                type: string
+            Access-Control-Allow-Origin:
+              schema:
+                type: string
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/EndpointResponse"
+      x-amazon-apigateway-integration:
+        passthroughBehavior: "when_no_match"
+        type: aws_proxy
+        uri: arn:aws:apigateway:${region}:lambda:path/2015-03-31/functions/${proxy_lambda}/invocations
+        credentials: ${role}
+        httpMethod: POST
+        payloadFormatVersion: "1.0"
+        responses:
+          default:
+            statusCode: 200
diff --git a/packages/airnode-deployer/terraform/airnode/aws/templates/httpSignedGw.yaml.tpl b/packages/airnode-deployer/terraform/airnode/aws/templates/httpSignedGw.yaml.tpl
@@ -56,9 +56,6 @@ components:
       name: x-api-key
       in: header
 
-security:
-  - apiKey: []
-
 paths:
   /{endpointId}:
     post:
@@ -75,6 +72,16 @@ paths:
       responses:
         "200":
           description: Request called
+          headers:
+            Access-Control-Allow-Headers:
+              schema:
+                type: string
+            Access-Control-Allow-Methods:
+              schema:
+                type: string
+            Access-Control-Allow-Origin:
+              schema:
+                type: string
           content:
             application/json:
               schema:
@@ -90,3 +97,33 @@ paths:
         responses:
           default:
             statusCode: 200
+    options:
+      parameters:
+        - $ref: "#/components/parameters/endpointId"
+      responses:
+        "204":
+          description: CORS preflight response
+          headers:
+            Access-Control-Allow-Headers:
+              schema:
+                type: string
+            Access-Control-Allow-Methods:
+              schema:
+                type: string
+            Access-Control-Allow-Origin:
+              schema:
+                type: string
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/EndpointResponse"
+      x-amazon-apigateway-integration:
+        passthroughBehavior: "when_no_match"
+        type: aws_proxy
+        uri: arn:aws:apigateway:${region}:lambda:path/2015-03-31/functions/${proxy_lambda}/invocations
+        credentials: ${role}
+        httpMethod: POST
+        payloadFormatVersion: "1.0"
+        responses:
+          default:
+            statusCode: 200