Merge pull request #1 from SignalK/master

update master from SK

packages/server-admin-ui/src/views/security/Settings.js

@@ -210,13 +210,14 @@ class Settings extends Component {
                     <FormGroup row>
                       <Col md="12">
                         <Label>
-                          Simple CORS requests are allowed from all hosts by
-                          default. You can restrict CORS requests to named hosts
-                          by configuring allowed CORS origins below. The host
-                          where this page is loaded from is automatically
-                          included in the allowed CORS origins so that the Admin
-                          UI continues to work. Changes to the Allowed CORS
-                          origins requires a server restart.
+                          With no configuration all CORS origins are accepted,
+                          but client requests with credentials:include do not
+                          work. Add a single * origin to allow all origins with
+                          credentials. You can also restrict CORS requests to
+                          specific origins. The origin that this UI was loaded
+                          from is automatically added to the allowed origins so
+                          that requests from the UI work. Changes to the Allowed
+                          CORS origins requires a server restart.
                         </Label>
                       </Col>
                     </FormGroup>{' '}
@@ -232,7 +233,8 @@ class Settings extends Component {
                           value={this.state.allowedCorsOrigins}
                         />
                         <FormText color="muted">
-                          Use comma delimited list, example:
+                          Use either * or a comma delimited list of origins,
+                          example:
                           http://host1.name.com:3000,http://host2.name.com:3000
                         </FormText>
                       </Col>

src/cors.ts

@@ -9,15 +9,29 @@ export function setupCors(
 ) {
   const corsDebug = createDebug('signalk-server:cors')
 
+  const corsOptions: CorsOptions = {
+    credentials: true
+  }
+
   const corsOrigins = allowedCorsOrigins
     ? allowedCorsOrigins
         .split(',')
         .map((s: string) => s.trim().replace(/\/*$/, ''))
     : []
-  corsDebug(`corsOrigins:${corsOrigins.toString()}`)
-  const corsOptions: CorsOptions = {
-    credentials: true,
-    origin: corsOrigins
+
+  // default wildcard cors configuration does not work
+  // with credentials:include client requests, so add
+  // our own wildcard rule that will match all origins
+  // but respond with that origin, not the default *
+  if (allowedCorsOrigins?.startsWith('*')) {
+    corsOptions.origin = (origin: string | undefined, cb) => cb(null, origin)
+    corsDebug('Allowing all origins')
+  } else if (corsOrigins.length > 0) {
+    // set origin only if corsOrigins are set so that
+    // we get the default cors module functionality
+    // for simple requests by default
+    corsOptions.origin = corsOrigins
+    corsDebug(`corsOrigins:${corsOrigins.toString()}`)
   }
 
   app.use(cors(corsOptions))
@@ -44,7 +58,11 @@ export const handleAdminUICORSOrigin = (
     securityConfig.allowedCorsOrigins.length > 0
   ) {
     allowedCorsOrigins = securityConfig.allowedCorsOrigins?.split(',')
-    if (allowedCorsOrigins.indexOf(securityConfig.adminUIOrigin) === -1) {
+    const adminUIOriginUrl = new URL(securityConfig.adminUIOrigin)
+    if (
+      allowedCorsOrigins.indexOf(securityConfig.adminUIOrigin) === -1 &&
+      adminUIOriginUrl.hostname !== 'localhost'
+    ) {
       allowedCorsOrigins.push(securityConfig.adminUIOrigin)
     }
   }