@emartech/boar-koa-server - npm Package Compare versions

Comparing version 2.0.0 to 3.0.0

app/index.js

 'use strict';
 
 let fs = require('fs');
-let cors = require('kcors');
+let cors = require('@koa/cors');
 let methodOverride = require('koa-methodoverride');
@@ -17,5 +17,22 @@ let bodyparser = require('koa-bodyparser');
 
-  addCorsSupportMiddleware() {
+  addCorsSupportMiddleware({ allowOrigin, allowMethods } = {
+    allowOrigin: '*',
+    allowMethods: 'GET,HEAD,PUT,POST,DELETE,PATCH'
+  }) {
+    let origin = '*';
+    if (allowOrigin instanceof RegExp) {
+      origin = function(ctx) {
+        const incoming = ctx.get('Origin');
+        if (incoming.match(allowOrigin)) {
+          return incoming;
+        }
+        // eslint-disable-next-line security/detect-unsafe-regex
+        if (incoming.match(/\/localhost(:\d+)?$/)) {
+          return incoming;
+        }
+      };
+    }
     this.addMiddleware(cors({
-      origin: '*'
+      origin,
+      allowMethods
     }));
@@ -22,0 +39,0 @@ }

package.json

@@ -13,3 +13,3 @@ {
     "code-style": "eslint '**/*.js'",
-    "test-run": "mocha ./lib --recursive",
+    "test-run": "mocha ./app ./lib --recursive",
     "audit": "npm audit",
@@ -32,3 +32,3 @@ "test": "npm run test-run && npm run audit --omit=dev && npm run code-style",
     "deep-extend": "0.6.0",
-    "kcors": "2.2.2",
+    "@koa/cors": "5.0.0",
     "koa-bodyparser": "4.4.1",
@@ -52,8 +52,10 @@ "koa-helmet": "7.0.2",
     "eslint-config-emarsys": "5.1.0",
+    "koa": "2.5.1",
     "mocha": "10.2.0",
+    "npm": "9.8.0",
     "semantic-release": "21.0.7",
     "sinon": "15.2.0",
-    "npm": "9.8.0"
+    "supertest": "6.3.3"
   },
-  "version": "2.0.0"
+  "version": "3.0.0"
 }

README.md

@@ -28,3 +28,3 @@ # Boar Koa Server
 
-### Cors Support ([koa-cors](https://github.com/evert0n/koa-cors))
+### Cors Support ([@koa/cors](https://www.npmjs.com/package/@koa/cors))
 
@@ -35,2 +35,17 @@ ``` javascript
 
+Allowed settings :
+``` javascript
+  app.addCorsSupportMiddleware({
+    allowOrigin: '*', // `Access-Control-Allow-Origin`, * or a regex to filter allowed origins (for instance /emarsys.(com|net)$/)
+    allowMethods: 'GET,HEAD,PUT,POST,DELETE,PATCH', // `Access-Control-Allow-Methods`
+  });
+```
+
+**⚠️ WARNING ⚠️** : 
+Not specifying an allowed origin made the middleware always return an `Access-Control-Allow-Origin` header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy (SOP), this could cause a very serious security threat to the users of this middleware.
+
+Since version `2.0.0`, the package is based `@koa/cors@5.0.0` which
+[disables this behavior](https://www.npmjs.com/package/@koa/cors/v/5.0.0#breaking-change-between-50-and-40).
+It is **highly recommended** to specify a list of allowed origins.
+
 ### Method Override ([koa-methodoverwrite](https://github.com/koa-modules/methodoverride))
@@ -37,0 +52,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

22863

increased by36.06%

Number of package files

9

increased by12.5%

Lines of code

430

increased by50.88%

Number of lines in readme file

152

increased by10.95%

Worsened metrics

Dev dependency count

9

increased by28.57%

Dependency changes

• + Added@koa/cors@5.0.0

• + Added@koa/cors@5.0.0(transitive)

• + Addedvary@1.1.2(transitive)

• - Removedkcors@2.2.2

• - Removedkcors@2.2.2(transitive)