PS-703 : Added CORS and helmet to middle ware for security

package.json

@@ -1,5 +1,5 @@
 {
-  "name": "middleware_micorservice",
+  "name": "middleware_microservice",
   "version": "0.0.1",
   "description": "",
   "author": "",
@@ -34,7 +34,9 @@
     "cache-manager-memory-store": "^1.1.0",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.1",
+    "cors": "^2.8.5",
     "dotenv": "^16.4.5",
+    "helmet": "^8.0.0",
     "nest-winston": "^1.9.6",
     "passport-jwt": "^4.0.1",
     "reflect-metadata": "^0.1.14",

src/main.ts

@@ -1,11 +1,35 @@
 import { NestFactory } from '@nestjs/core';
+import helmet from 'helmet';
 import { AppModule } from './app.module';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
 import * as dotenv from 'dotenv';
+import { ConfigService } from '@nestjs/config';
+import { ForbiddenException } from '@nestjs/common';
 
 async function bootstrap() {
   dotenv.config(); // Load environment variables from .env file
   const app = await NestFactory.create(AppModule);
+
+  const configService = app.get(ConfigService);
+
+  const corsOriginList = configService
+    .get<string>('CORS_ORIGIN_LIST')
+    ?.split(',');
+
+  if (!corsOriginList || corsOriginList.length === 0) {
+    throw new Error('CORS_ORIGIN_LIST is not defined or empty');
+  }
+
+  if (corsOriginList[0] !== '*' && !validateCorsOriginList(corsOriginList)) {
+    throw new Error('Invalid CORS_ORIGIN_LIST');
+  }
+
+  const corsOptions = {
+    origin: corsOriginList, // Array of allowed origins
+    methods: 'GET,HEAD,PUT,PATCH,POST,DELETE', // Specify allowed methods
+    credentials: true, // Allow credentials (cookies, authorization headers)
+  };
+
   const config = new DocumentBuilder()
     .setTitle('Middleware  APIs')
     .setDescription('The Middlware service')
@@ -17,8 +41,40 @@ async function bootstrap() {
     .build();
   const document = SwaggerModule.createDocument(app, config);
   SwaggerModule.setup('api/swagger-docs', app, document);
+
+  app.use((req, res, next) => {
+    const origin = req.headers.origin;
+
+    if (corsOriginList.includes(origin) || corsOriginList[0] === '*') {
+      res.setHeader('Access-Control-Allow-Origin', origin);
+    } else {
+      throw new ForbiddenException('Origin not allowed');
+    }
+    res.setHeader('Access-Control-Allow-Credentials', 'true');
+    res.header(
+      'Access-Control-Allow-Methods',
+      'GET,HEAD,PUT,PATCH,POST,DELETE',
+    );
+    next();
+  });
+
+  app.enableCors(corsOptions);
+  app.use(helmet());
+
   await app.listen(4000, () => {
     console.log(`Server middleware on port - 4000`);
   });
 }
+
+function validateCorsOriginList(corsOriginList: string[]): boolean {
+  return corsOriginList.every((origin) => {
+    try {
+      new URL(origin);
+      return true;
+    } catch (error) {
+      return false;
+    }
+  });
+}
+
 bootstrap();