feat(binding-http): Make Access-Control-Allow-Origin header configurable

Add allowedOrigins option to HttpConfig interface to let users configure
the Access-Control-Allow-Origin header value. Defaults to '*' for backward
compatibility. Secured things still echo the request origin with credentials
regardless of this setting.

Fixes #941

Signed-off-by: jona42-ui <jonathanthembo123@gmail.com>

Author: jona42-ui

packages/binding-http/README.md

@@ -180,6 +180,7 @@ The protocol binding can be configured using his constructor or trough servient
     baseUri?: string                         // A Base URI to be used in the TD in cases where the client will access a different URL than the actual machine serving the thing.  [See Using BaseUri below]
     urlRewrite?: Record<string, string>      // A record to allow for other URLs pointing to existing endpoints, e.g., { "/myroot/myUrl": "/test/properties/test" }
     middleware?: MiddlewareRequestHandler;   // the MiddlewareRequestHandler function. See [Adding a middleware] section below.
+    allowedOrigins?: string;                 // Configures the Access-Control-Allow-Origin header. Defaults to "*" (any origin). See [Configuring CORS] section below.
 }
 ```
 
@@ -305,6 +306,21 @@ The exposed thing on the internal server will product form URLs such as:
 
 > `address` tells the HttpServer a specific local network interface to bind its TCP listener.
 
+### Configuring CORS
+
+By default, the HTTP binding sets the `Access-Control-Allow-Origin` header to `"*"`, allowing any origin to access exposed Things. You can restrict this to a specific origin using the `allowedOrigins` configuration option:
+
+```js
+servient.addServer(
+    new HttpServer({
+        port: 8080,
+        allowedOrigins: "https://my-app.example.com",
+    })
+);
+```
+
+When a security scheme (e.g. `basic`, `bearer`) is configured, the server echoes the request's `Origin` header and sets `Access-Control-Allow-Credentials: true`, regardless of the `allowedOrigins` value. This is required for browsers to send credentials in cross-origin requests.
+
 ### Adding a middleware
 
 HttpServer supports the addition of **middleware** to handle the raw HTTP requests before they hit the Servient. In the middleware function, you can run some logic to filter and eventually reject HTTP requests (e.g. based on some custom headers).

packages/binding-http/src/http-server.ts

@@ -65,6 +65,7 @@ export default class HttpServer implements ProtocolServer {
     private readonly baseUri?: string;
     private readonly urlRewrite?: Record<string, string>;
     private readonly devFriendlyUri: boolean;
+    private readonly allowedOrigins: string;
     private readonly supportedSecuritySchemes: string[] = ["nosec"];
     private readonly validOAuthClients: RegExp = /.*/g;
     private readonly server: http.Server | https.Server;
@@ -85,6 +86,7 @@ export default class HttpServer implements ProtocolServer {
         this.urlRewrite = config.urlRewrite;
         this.middleware = config.middleware;
         this.devFriendlyUri = config.devFriendlyUri ?? true;
+        this.allowedOrigins = config.allowedOrigins ?? "*";
 
         const router = Router({
             ignoreTrailingSlash: true,
@@ -251,6 +253,10 @@ export default class HttpServer implements ProtocolServer {
         return this.things;
     }
 
+    public getAllowedOrigins(): string {
+        return this.allowedOrigins;
+    }
+
     /** returns server port number and indicates that server is running when larger than -1  */
     public getPort(): number {
         const address = this.server?.address();

packages/binding-http/src/http.ts

@@ -47,6 +47,11 @@ export interface HttpConfig {
     security?: SecurityScheme[];
     devFriendlyUri?: boolean;
     middleware?: MiddlewareRequestHandler;
+    /**
+     * Configures the Access-Control-Allow-Origin header.
+     * Default is "*" (any origin allowed).
+     */
+    allowedOrigins?: string;
 }
 
 export interface OAuth2ServerConfig extends SecurityScheme {

packages/binding-http/src/routes/action.ts

@@ -67,7 +67,7 @@ export default async function actionRoute(
         return;
     }
     // TODO: refactor this part to move into a common place
-    setCorsForThing(req, res, thing);
+    setCorsForThing(req, res, thing, this.getAllowedOrigins());
     let corsPreflightWithCredentials = false;
     const securityScheme = thing.securityDefinitions[Helpers.toStringArray(thing.security)[0]].scheme;
 
@@ -110,6 +110,6 @@ export default async function actionRoute(
     } else {
         // may have been OPTIONS that failed the credentials check
         // as a result, we pass corsPreflightWithCredentials
-        respondUnallowedMethod(req, res, "POST", corsPreflightWithCredentials);
+        respondUnallowedMethod(req, res, "POST", corsPreflightWithCredentials, this.getAllowedOrigins());
     }
 }

packages/binding-http/src/routes/common.ts

@@ -21,7 +21,8 @@ export function respondUnallowedMethod(
     req: IncomingMessage,
     res: ServerResponse,
     allowed: string,
-    corsPreflightWithCredentials = false
+    corsPreflightWithCredentials = false,
+    allowedOrigins = "*"
 ): void {
     // Always allow OPTIONS to handle CORS pre-flight requests
     if (!allowed.includes("OPTIONS")) {
@@ -40,7 +41,7 @@ export function respondUnallowedMethod(
             res.setHeader("Access-Control-Allow-Origin", origin);
             res.setHeader("Access-Control-Allow-Credentials", "true");
         } else {
-            res.setHeader("Access-Control-Allow-Origin", "*");
+            res.setHeader("Access-Control-Allow-Origin", allowedOrigins);
         }
         res.setHeader("Access-Control-Allow-Methods", allowed);
         res.setHeader("Access-Control-Allow-Headers", "content-type, authorization, *");
@@ -91,7 +92,12 @@ export function securitySchemeToHttpHeader(scheme: string): string {
     return first.toUpperCase() + rest.join("").toLowerCase();
 }
 
-export function setCorsForThing(req: IncomingMessage, res: ServerResponse, thing: ExposedThing): void {
+export function setCorsForThing(
+    req: IncomingMessage,
+    res: ServerResponse,
+    thing: ExposedThing,
+    allowedOrigins = "*"
+): void {
     const securityScheme = thing.securityDefinitions[Helpers.toStringArray(thing.security)[0]].scheme;
     // Set CORS headers
 
@@ -100,6 +106,6 @@ export function setCorsForThing(req: IncomingMessage, res: ServerResponse, thing
         res.setHeader("Access-Control-Allow-Origin", origin);
         res.setHeader("Access-Control-Allow-Credentials", "true");
     } else {
-        res.setHeader("Access-Control-Allow-Origin", "*");
+        res.setHeader("Access-Control-Allow-Origin", allowedOrigins);
     }
 }

packages/binding-http/src/routes/event.ts

@@ -47,7 +47,7 @@ export default async function eventRoute(
         return;
     }
     // TODO: refactor this part to move into a common place
-    setCorsForThing(req, res, thing);
+    setCorsForThing(req, res, thing, this.getAllowedOrigins());
     let corsPreflightWithCredentials = false;
     const securityScheme = thing.securityDefinitions[Helpers.toStringArray(thing.security)[0]].scheme;
 
@@ -109,7 +109,7 @@ export default async function eventRoute(
     } else {
         // may have been OPTIONS that failed the credentials check
         // as a result, we pass corsPreflightWithCredentials
-        respondUnallowedMethod(req, res, "GET", corsPreflightWithCredentials);
+        respondUnallowedMethod(req, res, "GET", corsPreflightWithCredentials, this.getAllowedOrigins());
     }
     // resource found and response sent
 }

packages/binding-http/src/routes/properties.ts

@@ -39,7 +39,7 @@ export default async function propertiesRoute(
     }
 
     // TODO: refactor this part to move into a common place
-    setCorsForThing(req, res, thing);
+    setCorsForThing(req, res, thing, this.getAllowedOrigins());
     let corsPreflightWithCredentials = false;
     const securityScheme = thing.securityDefinitions[Helpers.toStringArray(thing.security)[0]].scheme;
 
@@ -86,6 +86,6 @@ export default async function propertiesRoute(
     } else {
         // may have been OPTIONS that failed the credentials check
         // as a result, we pass corsPreflightWithCredentials
-        respondUnallowedMethod(req, res, "GET", corsPreflightWithCredentials);
+        respondUnallowedMethod(req, res, "GET", corsPreflightWithCredentials, this.getAllowedOrigins());
     }
 }

packages/binding-http/src/routes/property-observe.ts

@@ -57,7 +57,7 @@ export default async function propertyObserveRoute(
     }
 
     // TODO: refactor this part to move into a common place
-    setCorsForThing(req, res, thing);
+    setCorsForThing(req, res, thing, this.getAllowedOrigins());
     let corsPreflightWithCredentials = false;
     const securityScheme = thing.securityDefinitions[Helpers.toStringArray(thing.security)[0]].scheme;
 
@@ -113,6 +113,6 @@ export default async function propertyObserveRoute(
         res.writeHead(202);
         res.end();
     } else {
-        respondUnallowedMethod(req, res, "GET", corsPreflightWithCredentials);
+        respondUnallowedMethod(req, res, "GET", corsPreflightWithCredentials, this.getAllowedOrigins());
     }
 }

packages/binding-http/src/routes/property.ts

@@ -77,7 +77,7 @@ export default async function propertyRoute(
     }
 
     // TODO: refactor this part to move into a common place
-    setCorsForThing(req, res, thing);
+    setCorsForThing(req, res, thing, this.getAllowedOrigins());
     let corsPreflightWithCredentials = false;
     const securityScheme = thing.securityDefinitions[Helpers.toStringArray(thing.security)[0]].scheme;
 
@@ -108,7 +108,7 @@ export default async function propertyRoute(
     } else if (req.method === "PUT") {
         const readOnly: boolean = property.readOnly ?? false;
         if (readOnly) {
-            respondUnallowedMethod(req, res, "GET, PUT");
+            respondUnallowedMethod(req, res, "GET, PUT", false, this.getAllowedOrigins());
             return;
         }
 
@@ -128,6 +128,6 @@ export default async function propertyRoute(
     } else {
         // may have been OPTIONS that failed the credentials check
         // as a result, we pass corsPreflightWithCredentials
-        respondUnallowedMethod(req, res, "GET, PUT", corsPreflightWithCredentials);
+        respondUnallowedMethod(req, res, "GET, PUT", corsPreflightWithCredentials, this.getAllowedOrigins());
     } // Property exists?
 }

packages/binding-http/src/routes/thing-description.ts

@@ -169,7 +169,7 @@ export default async function thingDescriptionRoute(
         const payload = await content.toBuffer();
 
         negotiateLanguage(td, thing, req);
-        res.setHeader("Access-Control-Allow-Origin", "*");
+        res.setHeader("Access-Control-Allow-Origin", this.getAllowedOrigins());
         res.setHeader("Content-Type", contentType);
         res.writeHead(200);
         debug(`Sending HTTP response for TD with Content-Type ${contentType}.`);