PS-703 : Added CORS and helmet to middle ware for security

[Xitija]

Summary by CodeRabbit

• New Features

  • Introduced CORS handling to manage cross-origin requests.
  • Added security enhancements using the helmet middleware for improved HTTP header management.

• Bug Fixes

  • Corrected the project name from "middleware_micorservice" to "middleware_microservice".

• Chores

  • Updated project dependencies to include cors and helmet.

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

The pull request introduces updates to the package.json and src/main.ts files. The project name in package.json has been corrected, and two new dependencies, cors and helmet, have been added. In src/main.ts, CORS handling and security enhancements have been implemented, including a new function to validate CORS origins and middleware to manage CORS headers and security headers.

Changes

File	Change Summary
package.json	Project name updated from "middleware_micorservice" to "middleware_microservice". Added dependencies: "cors": "^2.8.5" and "helmet": "^8.0.0".
src/main.ts	Added CORS handling and security enhancements. Introduced validateCorsOriginList function. Middleware for setting CORS headers and using helmet for security.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Server
    participant CORS Middleware
    participant Helmet Middleware

    Client->>Server: Request with Origin
    Server->>CORS Middleware: Check Origin
    CORS Middleware->>Server: Validate Origin
    Server->>Helmet Middleware: Apply Security Headers
    Helmet Middleware->>Server: Secure Response
    Server->>Client: Response with CORS and Security Headers

Loading

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 9ee37bc and ea31670.

📒 Files selected for processing (1)

• src/main.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/main.ts

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Outside diff range and nitpick comments (2)

package.json (1)

2-2: Overall assessment: Changes improve security as intended

The modifications to package.json align well with the PR objectives. The project name correction and the addition of cors and helmet dependencies enhance the project's configuration and security capabilities. These changes lay the groundwork for implementing CORS handling and security headers in the application.

Remember to properly configure and use these new dependencies in your application code, particularly in your main application file or middleware setup.

Also applies to: 37-37, 39-39

src/main.ts (1)

58-58: Configure helmet middleware for optimal security.

Including helmet() enhances security by setting various HTTP headers. Ensure that it's correctly configured for your application's needs, especially if you have APIs that require specific header settings.

You may need to adjust helmet settings:

app.use(
  helmet({
    contentSecurityPolicy: false, // Adjust as necessary
  }),
);

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 2fabce6 and fb4859c.

📒 Files selected for processing (2)

• package.json (2 hunks)
• src/main.ts (2 hunks)

🔇 Additional comments (4)

package.json (3)

2-2: LGTM: Project name corrected

The project name has been correctly updated from "middleware_micorservice" to "middleware_microservice", fixing the typo. This change improves consistency and clarity in the project configuration.

---

37-37: LGTM: CORS dependency added

The addition of the cors package (version ^2.8.5) aligns with the PR objectives for enhancing security. This middleware will help in managing Cross-Origin Resource Sharing (CORS) headers.

To ensure we're using the latest stable version compatible with our project, please run the following command:

---

39-39: LGTM: Helmet dependency added

The addition of the helmet package (version ^8.0.0) aligns well with the PR objectives for enhancing security. Helmet will help in securing the application by setting various HTTP headers.

To ensure we're using the latest stable version compatible with our project, please run the following command:

✅ Verification successful

Verified: Helmet dependency is up to date

The helmet package is already using the latest version (8.0.0). No action is required.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check the latest version of helmet and compare with the current version
latest_version=$(npm show helmet version)
current_version=$(jq -r '.dependencies.helmet' package.json | tr -d '^')
echo "Current helmet version: $current_version"
echo "Latest helmet version: $latest_version"
if [ "$current_version" != "$latest_version" ]; then
  echo "Consider updating helmet to the latest version"
fi

Length of output: 448

---

Script:

#!/bin/bash
# Fetch the latest version of helmet from the npm registry
latest_version=$(curl -s https://registry.npmjs.org/helmet | jq -r '.["dist-tags"].latest')
current_version=$(jq -r '.dependencies.helmet' package.json | tr -d '^')
echo "Current helmet version: $current_version"
echo "Latest helmet version: $latest_version"
if [ "$latest_version" != "" ] && [ "$(printf '%s\n' "$latest_version" "$current_version" | sort -V | head -n1)" != "$current_version" ]; then
  echo "Consider updating helmet to the latest version ($latest_version)"
fi

Length of output: 419

src/main.ts (1)

2-2: Importing helmet for security enhancements.

The import statement for helmet is correctly added.

[coderabbitai]

⚠️ Potential issue

Redundant and conflicting CORS middleware.

You have manually implemented a middleware to handle CORS, but you also enable CORS using app.enableCors(corsOptions); at line 57. This redundancy can cause conflicts and unexpected behaviors.

Consider removing the custom middleware and rely on app.enableCors(corsOptions); for CORS handling.

Apply this diff to remove the custom middleware:

-  app.use((req, res, next) => {
-    const origin = req.headers.origin;
-
-    if (corsOriginList.includes(origin) || corsOriginList[0] === '*') {
-      res.setHeader('Access-Control-Allow-Origin', origin);
-    } else {
-      throw new InternalServerErrorException('Invalid CORS_ORIGIN');
-    }
-    res.setHeader('Access-Control-Allow-Credentials', 'true');
-    res.header(
-      'Access-Control-Allow-Methods',
-      'GET,HEAD,PUT,PATCH,POST,DELETE',
-    );
-    next();
-  });

If you need custom logic, you can adjust the corsOptions passed to app.enableCors().

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	app.use((req, res, next) => {
	const origin = req.headers.origin;
	if (corsOriginList.includes(origin) || corsOriginList[0] === '*') {
	res.setHeader('Access-Control-Allow-Origin', origin);
	} else {
	throw new InternalServerErrorException('Invalid CORS_ORIGIN');
	}
	res.setHeader('Access-Control-Allow-Credentials', 'true');
	res.header(
	'Access-Control-Allow-Methods',
	'GET,HEAD,PUT,PATCH,POST,DELETE',
	);
	next();
	});

[coderabbitai]

⚠️ Potential issue

Redundant CORS configuration detected.

You have enabled CORS by setting { cors: true } in NestFactory.create, and later you enable CORS again using app.enableCors(corsOptions);. This redundancy might cause unexpected behavior.

Consider removing the { cors: true } option when creating the app, since you are configuring CORS with custom options later.

Apply this diff:

-  const app = await NestFactory.create(AppModule, { cors: true });
+  const app = await NestFactory.create(AppModule);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const app = await NestFactory.create(AppModule, { cors: true });
	const app = await NestFactory.create(AppModule);

[coderabbitai]

⚠️ Potential issue

Potential issue with empty corsOriginList.

If CORS_ORIGIN_LIST is undefined or empty, accessing corsOriginList[0] could lead to an error.

Add a check to handle cases where corsOriginList is undefined or empty.

Apply this diff:

+  if (!corsOriginList || corsOriginList.length === 0) {
+    throw new Error('CORS_ORIGIN_LIST is not defined or empty');
+  }

   if (corsOriginList[0] !== '*' && !validateCorsOriginList(corsOriginList)) {
     throw new Error('Invalid CORS_ORIGIN_LIST');
   }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (corsOriginList[0] !== '*' && !validateCorsOriginList(corsOriginList)) {
	throw new Error('Invalid CORS_ORIGIN_LIST');
	}
	if (!corsOriginList || corsOriginList.length === 0) {
	throw new Error('CORS_ORIGIN_LIST is not defined or empty');
	}
	if (corsOriginList[0] !== '*' && !validateCorsOriginList(corsOriginList)) {
	throw new Error('Invalid CORS_ORIGIN_LIST');
	}

[coderabbitai]

⚠️ Potential issue

Improve CORS origin validation.

The current validation only checks if the origins include http:// or https://, which might not sufficiently validate the URLs.

Consider using the URL constructor to validate each origin.

Apply this diff:

function validateCorsOriginList(corsOriginList: string[]): boolean {
-  return corsOriginList.every((origin) => {
-    return origin.includes('http://') || origin.includes('https://');
-  });
+  return corsOriginList.every((origin) => {
+    try {
+      new URL(origin);
+      return true;
+    } catch (error) {
+      return false;
+    }
+  });
}

This approach ensures that each origin is a valid URL.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function validateCorsOriginList(corsOriginList: string[]): boolean {
	return corsOriginList.every((origin) => {
	return origin.includes('http://') || origin.includes('https://');
	});
	}
	function validateCorsOriginList(corsOriginList: string[]): boolean {
	return corsOriginList.every((origin) => {
	try {
	new URL(origin);
	return true;
	} catch (error) {
	return false;
	}
	});
	}

[coderabbitai]

⚠️ Potential issue

Improper error handling for invalid CORS origins.

Throwing an InternalServerErrorException when the origin is invalid may not be appropriate and could expose internal details.

Instead of throwing an exception, you can simply not set the Access-Control-Allow-Origin header, or respond with a 403 Forbidden status.

Apply this diff:

     if (corsOriginList.includes(origin) || corsOriginList[0] === '*') {
       res.setHeader('Access-Control-Allow-Origin', origin);
     } else {
-      throw new InternalServerErrorException('Invalid CORS_ORIGIN');
+      res.status(403).send('Forbidden');
+      return;
     }

However, removing the custom middleware as suggested earlier would eliminate this issue.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (corsOriginList.includes(origin) || corsOriginList[0] === '*') {
	res.setHeader('Access-Control-Allow-Origin', origin);
	} else {
	throw new InternalServerErrorException('Invalid CORS_ORIGIN');
	}
	if (corsOriginList.includes(origin) || corsOriginList[0] === '*') {
	res.setHeader('Access-Control-Allow-Origin', origin);
	} else {
	res.status(403).send('Forbidden');
	return;
	}

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

src/main.ts (2)

13-31: LGTM: CORS configuration setup is well-implemented.

The CORS configuration is properly implemented, addressing the PR objectives. Good practices include:

• Retrieving the CORS origin list from environment variables.
• Validating the CORS origin list.
• Appropriate error handling for empty or invalid CORS_ORIGIN_LIST.
• Correct definition of corsOptions object.

Consider adding a comment explaining the purpose of the corsOriginList[0] !== '*' check in the validation condition. This will improve code readability.

---

69-78: LGTM: Improved CORS origin validation.

The validateCorsOriginList function is well-implemented, addressing a past review comment. Using the URL constructor for validation ensures that each origin is a valid URL, which is a robust approach.

Consider adding a check for the protocol to ensure only 'http:' and 'https:' URLs are allowed. This can be done by adding a condition after the URL constructor:

function validateCorsOriginList(corsOriginList: string[]): boolean {
  return corsOriginList.every((origin) => {
    try {
      const url = new URL(origin);
      return url.protocol === 'http:' || url.protocol === 'https:';
    } catch (error) {
      return false;
    }
  });
}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between fb4859c and 9ee37bc.

📒 Files selected for processing (1)

• src/main.ts (2 hunks)

🔇 Additional comments (4)

src/main.ts (4)

2-2: LGTM: Necessary imports added for security enhancements.

The new imports for helmet, ConfigService, and ForbiddenException are appropriate for implementing CORS and security headers as mentioned in the PR objectives.

Also applies to: 6-7

---

61-62: LGTM: Correct application of CORS and Helmet middleware.

The application of CORS using app.enableCors(corsOptions) and the Helmet middleware aligns with the PR objectives. These additions will enhance the security of the application by properly handling CORS and setting various HTTP security headers.

---

12-12: LGTM: Redundant CORS configuration removed.

The { cors: true } option in NestFactory.create has been removed, addressing a past review comment. This change eliminates the potential for conflicting CORS configurations.

---

Line range hint 1-81: Overall implementation aligns with PR objectives, but one issue remains.

The changes in this file successfully implement CORS and security enhancements using Helmet, addressing the main objectives of the PR. Most past review comments have been addressed, improving the overall quality and security of the code.

However, there is still a redundancy issue with the custom CORS middleware (lines 45-59) that conflicts with the app.enableCors(corsOptions) call. As mentioned in a previous comment, this custom middleware should be removed to avoid potential conflicts and unexpected behavior.

Once this final issue is resolved, the implementation will be fully aligned with the PR objectives and best practices for CORS and security handling in NestJS applications.

[coderabbitai]

⚠️ Potential issue

Remove redundant custom CORS middleware.

The custom CORS middleware implementation conflicts with the app.enableCors(corsOptions) call on line 61. This redundancy can lead to unexpected behavior and was previously pointed out in a past review comment.

Consider removing the custom middleware and relying solely on app.enableCors(corsOptions) for CORS handling. If custom logic is needed, it should be incorporated into the corsOptions object.

Apply this diff to remove the custom middleware:

-  app.use((req, res, next) => {
-    const origin = req.headers.origin;
-
-    if (corsOriginList.includes(origin) || corsOriginList[0] === '*') {
-      res.setHeader('Access-Control-Allow-Origin', origin);
-    } else {
-      throw new ForbiddenException('Origin not allowed');
-    }
-    res.setHeader('Access-Control-Allow-Credentials', 'true');
-    res.header(
-      'Access-Control-Allow-Methods',
-      'GET,HEAD,PUT,PATCH,POST,DELETE',
-    );
-    next();
-  });

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	app.use((req, res, next) => {
	const origin = req.headers.origin;
	if (corsOriginList.includes(origin) || corsOriginList[0] === '*') {
	res.setHeader('Access-Control-Allow-Origin', origin);
	} else {
	throw new ForbiddenException('Origin not allowed');
	}
	res.setHeader('Access-Control-Allow-Credentials', 'true');
	res.header(
	'Access-Control-Allow-Methods',
	'GET,HEAD,PUT,PATCH,POST,DELETE',
	);
	next();
	});

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud