From 02df93d82c1e57c32a58ba6d4a4d3c5b11a066e0 Mon Sep 17 00:00:00 2001
From: Artur Sudnik-Hrynkiewicz <artur.hrynkiewicz@energyweb.org>
Date: Fri, 7 Apr 2023 16:29:12 +0200
Subject: [PATCH] chore: improving CORS headers set by Nginx

---
 nginx/nginx.gp4btc.conf | 109 +++++++++++++++++++++++-----------------
 1 file changed, 64 insertions(+), 45 deletions(-)

diff --git a/nginx/nginx.gp4btc.conf b/nginx/nginx.gp4btc.conf
index 2848a789..25806ff2 100644
--- a/nginx/nginx.gp4btc.conf
+++ b/nginx/nginx.gp4btc.conf
@@ -1,3 +1,38 @@
+map $http_origin $allow_origin {
+  default "";
+  "~^https?://(localhost:4200|localhost:4201)$" "$http_origin";
+}
+
+map $request_method $cors_method {
+  default "allowed";
+  "OPTIONS" "preflight";
+}
+
+map $cors_method $cors_max_age {
+  default "";
+  "preflight" 1;
+}
+
+map $cors_method $cors_allow_methods {
+  default "";
+  "preflight" "GET, POST, OPTIONS";
+}
+
+map $cors_method $cors_allow_headers {
+  default "";
+  "preflight" "Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since";
+}
+
+map $cors_method $cors_content_length {
+  default $initial_content_length;
+  "preflight" 0;
+}
+
+map $cors_method $cors_content_type {
+  default $initial_content_type;
+  "preflight" "text/plain charset=UTF-8";
+}
+
 server {
     listen       80;
     listen  [::]:80;
@@ -27,38 +62,22 @@ server {
         # gp4btc backend needs to have CORS headers disable completely,
         # otherwise they will duplicate and will not be accepted by browsers
 
-        if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost:4200' always;
-            add_header 'Access-Control-Allow-Credentials' 'true' always;
-            add_header 'Access-Control-Allow-Methods' 'GET,HEAD,PUT,PATCH,POST,DELETE' always;
-            add_header 'Access-Control-Allow-Headers' 'authorization' always;
-            add_header 'Access-Control-Max-Age' '60' always;
-            return 200;
-        }
-
-        if ($request_method = 'POST') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost:4200' always;
-            add_header 'Access-Control-Allow-Credentials' 'true' always;
-        }
-
-        if ($request_method = 'GET') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost:4200' always;
-            add_header 'Access-Control-Allow-Credentials' 'true' always;
-        }
+        add_header Access-Control-Allow-Origin $allow_origin  always;
+        add_header Access-Control-Allow-Credentials 'true'  always;
+        add_header Access-Control-Max-Age $cors_max_age  always;
+        add_header Access-Control-Allow-Methods $cors_allow_methods  always;
+        add_header Access-Control-Allow-Headers $cors_allow_headers  always;
 
-        if ($request_method = 'PUT') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost:4200' always;
-            add_header 'Access-Control-Allow-Credentials' 'true' always;
-        }
+        set $initial_content_length $sent_http_content_length;
+        add_header 'Content-Length' ""  always;
+        add_header 'Content-Length' $cors_content_length  always;
 
-        if ($request_method = 'PATCH') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost:4200' always;
-            add_header 'Access-Control-Allow-Credentials' 'true' always;
-        }
+        set $initial_content_type $sent_http_content_type;
+        add_header Content-Type ""  always;
+        add_header Content-Type $cors_content_type  always;
 
-        if ($request_method = 'DELETE') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost:4200' always;
-            add_header 'Access-Control-Allow-Credentials' 'true' always;
+        if ($request_method = 'OPTIONS') {
+          return 204;
         }
     }
 
@@ -69,18 +88,23 @@ server {
         # gp4btc backend needs to have CORS headers disable completely,
         # otherwise they will duplicate and will not be accepted by browsers
 
-        if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost:4200' always;
-            add_header 'Access-Control-Allow-Credentials' 'true' always;
-            add_header 'Access-Control-Allow-Methods' 'GET,HEAD' always;
-            add_header 'Access-Control-Allow-Headers' 'authorization' always;
-            add_header 'Access-Control-Max-Age' '60' always;
-            return 200;
-        }
+        add_header Access-Control-Allow-Origin $allow_origin  always;
+        add_header Access-Control-Allow-Credentials 'true'  always;
+        add_header Access-Control-Max-Age $cors_max_age  always;
+        add_header Access-Control-Allow-Methods $cors_allow_methods  always;
+        add_header Access-Control-Allow-Headers $cors_allow_headers  always;
+
+        set $initial_content_length $sent_http_content_length;
+        add_header 'Content-Length' ""  always;
+        add_header 'Content-Length' $cors_content_length  always;
+
+        set $initial_content_type $sent_http_content_type;
+        add_header Content-Type ""  always;
+        add_header Content-Type $cors_content_type  always;
 
-        if ($request_method = 'GET') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost:4200' always;
-            add_header 'Access-Control-Allow-Credentials' 'true' always;
+        if ($request_method = 'OPTIONS') {
+        # this is necessary because preflight requests do not contain auth headers
+          return 204;
         }
     }
 
@@ -94,10 +118,5 @@ server {
         proxy_set_header  Authorization "$http_authorization";
         proxy_set_header  Content-Length "";
         proxy_pass        http://auth-server/auth/token-introspection;
-
-        if ($request_method = OPTIONS) {
-            # forwarding OPTIONS requests to the backend without authorization
-            return 200;
-        }
     }
 }