From 3742fdfb043eb345d1a7f5a2f2cc56254ca84175 Mon Sep 17 00:00:00 2001
From: Viljami Kuosmanen <viljami.kuosmanen@futurice.com>
Date: Mon, 30 Mar 2020 03:52:25 +0200
Subject: [PATCH] openapi: disable cors headers for /api/** paths

Still enabled for /rest/** and **/openapi.json
---
 src/node/hooks/express/openapi.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/node/hooks/express/openapi.js b/src/node/hooks/express/openapi.js
index 87a231945..816477929 100644
--- a/src/node/hooks/express/openapi.js
+++ b/src/node/hooks/express/openapi.js
@@ -556,6 +556,7 @@ exports.expressCreateServer = async (_, args) => {
 
       // serve version specific openapi definition
       app.get(`${apiRoot}/openapi.json`, (req, res) => {
+        // For openapi definitions, wide CORS is probably fine
         res.header('Access-Control-Allow-Origin', '*');
         res.json({ ...definition, servers: [generateServerForApiVersion(apiRoot, req)] });
       });
@@ -640,8 +641,11 @@ exports.expressCreateServer = async (_, args) => {
       api.init();
       app.use(apiRoot, async (req, res) => {
         try {
-          // allow cors
-          res.header('Access-Control-Allow-Origin', '*');
+          if (style === APIPathStyle.REST) {
+            // @TODO: Don't allow CORS from everywhere
+            // This is purely to maintain compatibility with old swagger-node-express
+            res.header('Access-Control-Allow-Origin', '*');
+          }
           await api.handleRequest(req, req, res);
         } catch (err) {
           if (err.name == 'apierror') {