tekdi · Xitija · Oct 1, 2024 · Oct 1, 2024 · Oct 1, 2024 · Oct 1, 2024
diff --git a/package.json b/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "middleware_micorservice",
+  "name": "middleware_microservice",
   "version": "0.0.1",
   "description": "",
   "author": "",
@@ -34,7 +34,9 @@
     "cache-manager-memory-store": "^1.1.0",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.1",
+    "cors": "^2.8.5",
     "dotenv": "^16.4.5",
+    "helmet": "^8.0.0",
     "nest-winston": "^1.9.6",
     "passport-jwt": "^4.0.1",
     "reflect-metadata": "^0.1.14",

diff --git a/src/main.ts b/src/main.ts
@@ -1,15 +1,44 @@
 import { NestFactory } from '@nestjs/core';
+import helmet from 'helmet';
 import { AppModule } from './app.module';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
 import * as dotenv from 'dotenv';
+import { ConfigService } from '@nestjs/config';
+import { ForbiddenException } from '@nestjs/common';
 
 async function bootstrap() {
   dotenv.config(); // Load environment variables from .env file
   const app = await NestFactory.create(AppModule);
-  app.enableCors();
+
+  const configService = app.get(ConfigService);
+
+  const corsOriginList = configService
+    .get<string>('CORS_ORIGIN_LIST')
+    ?.split(',');
+
+  if (!corsOriginList || corsOriginList.length === 0) {
+    throw new Error('CORS_ORIGIN_LIST is not defined or empty');
+  }
+
+  if (corsOriginList[0] !== '*' && !validateCorsOriginList(corsOriginList)) {
+    throw new Error('Invalid CORS_ORIGIN_LIST');
+  }
-  if (corsOriginList[0] !== '*' && !validateCorsOriginList(corsOriginList)) {
-    throw new Error('Invalid CORS_ORIGIN_LIST');
-  }
+  if (!corsOriginList || corsOriginList.length === 0) {
+    throw new Error('CORS_ORIGIN_LIST is not defined or empty');
+  }
+
+  if (corsOriginList[0] !== '*' && !validateCorsOriginList(corsOriginList)) {
+    throw new Error('Invalid CORS_ORIGIN_LIST');
+  }
-  if (corsOriginList[0] !== '*' && !validateCorsOriginList(corsOriginList)) {
-    throw new Error('Invalid CORS_ORIGIN_LIST');
-  }
+  if (!corsOriginList || corsOriginList.length === 0) {
+    throw new Error('CORS_ORIGIN_LIST is not defined or empty');
+  }
+
+  if (corsOriginList[0] !== '*' && !validateCorsOriginList(corsOriginList)) {
+    throw new Error('Invalid CORS_ORIGIN_LIST');
+  }
+
+  const corsOptions = {
+    origin: (origin, callback) => {
+      if (corsOriginList.includes(origin) || corsOriginList[0] === '*') {
+        callback(null, true);
+      } else {
+        callback(new ForbiddenException('Origin not allowed'));
+      }
+    },
+    methods: 'GET,HEAD,PUT,PATCH,POST,DELETE', // Specify allowed methods
+    credentials: true, // Allow credentials (cookies, authorization headers)
+  };
+
   const config = new DocumentBuilder()
     .setTitle('Middleware  APIs')
-    .setDescription('The Middlware service')
+    .setDescription('The Middleware service')
     .setVersion('1.0')
     .addApiKey(
       { type: 'apiKey', name: 'Authorization', in: 'header' },
@@ -18,8 +47,24 @@ async function bootstrap() {
     .build();
   const document = SwaggerModule.createDocument(app, config);
   SwaggerModule.setup('api/swagger-docs', app, document);
-  await app.listen(process.env.PORT || 4000, () => {
-    console.log(`Server middleware on port - ${process.env.PORT}`);
+
+  app.enableCors(corsOptions);
+  app.use(helmet());
+
+  await app.listen(4000, () => {
+    console.log(`Server middleware on port - 4000`);
+  });
+}
+
+function validateCorsOriginList(corsOriginList: string[]): boolean {
+  return corsOriginList.every((origin) => {
+    try {
+      new URL(origin);
+      return true;
+    } catch (error) {
+      return false;
+    }
   });
 }
+
 bootstrap();