Skip to content

fix(cors): per-merchant CORS origin validation and DELETE endpoint #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Jaydbrown wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(cors): per-merchant CORS origin validation and DELETE endpoint #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a13c03f
fix(cors): enforce HTTPS-only, no localhost, no wildcards, max 10 ori…
Jaydbrown Jun 24, 2026
6c09291
fix(cors): add deleteCorsOrigin method to remove a single origin
Jaydbrown Jun 24, 2026
11591df
fix(cors): add DELETE /me/cors/:origin endpoint
Jaydbrown Jun 24, 2026
003cc8f
Merge branch 'main' into fix/issue-19-cors-origin-validation
oomokaro1 Jun 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions src/merchants/merchants.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import {
Param,
UseGuards,
Request,
NotFoundException,
} from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';
import { MerchantsService } from './merchants.service';
Expand Down Expand Up @@ -100,4 +101,14 @@ export class MerchantsController {
return this.merchants.setCorsOrigins(m.id, dto.origins);
});
}

@Delete('me/cors/:origin')
@Roles('admin', 'merchant')
async deleteCorsOrigin(@Request() req: any, @Param('origin') origin: string) {
const m = await this.merchants.findByWallet(req.user.walletAddress);
if (!m) throw new NotFoundException('Merchant not found');
const removed = await this.merchants.deleteCorsOrigin(m.id, decodeURIComponent(origin));
if (!removed) throw new NotFoundException('Origin not found in configured list');
return { origins: await this.merchants.getCorsOrigins(m.id) };
}
}
8 changes: 7 additions & 1 deletion src/merchants/merchants.dto.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
IsOptional,
IsUrl,
IsArray,
ArrayMaxSize,
Matches,
MaxLength,
ValidateIf,
Expand Down Expand Up @@ -56,6 +57,11 @@

export class SetCorsOriginsDto {
@IsArray()
@IsUrl({}, { each: true })
@ArrayMaxSize(10, { message: 'A maximum of 10 CORS origins are allowed per merchant' })
@IsUrl(
{ protocols: ['https'], require_protocol: true, allow_localhost: false },

Check failure on line 62 in src/merchants/merchants.dto.ts

View workflow job for this annotation

GitHub Actions / lint-build-test (20) 

Object literal may only specify known properties, and 'allow_localhost' does not exist in type 'IsURLOptions'.
{ each: true, message: 'Each origin must be a valid HTTPS URL without localhost' },
)
@Matches(/^[^*]+$/, { each: true, message: 'Wildcard origins are not permitted' })
origins: string[];
}
8 changes: 8 additions & 0 deletions src/merchants/merchants.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,4 +148,12 @@ export class MerchantsService {
await this.corsCache.invalidateMerchantCache(merchantId);
return (updated.corsOrigins ?? []) as string[];
}

async deleteCorsOrigin(merchantId: string, origin: string): Promise<boolean> {
const current = await this.getCorsOrigins(merchantId);
const filtered = current.filter((o: string) => o !== origin);
if (filtered.length === current.length) return false;
await this.setCorsOrigins(merchantId, filtered);
return true;
}
}
Loading