fix: remove trailing slash in origins; add unit test framework (#356)

Author: arcoraven

jest.config.ts

@@ -0,0 +1,5 @@
+module.exports = {
+  preset: "ts-jest",
+  testEnvironment: "node",
+  // Add any other Jest configuration options here
+};

package.json

@@ -27,7 +27,8 @@
     "lint": "eslint 'src/**/*.ts'",
     "lint:fix": "eslint --fix 'src/**/*.ts'",
     "test:load": "npx tsx ./test/load/index.ts",
-    "test:load:benchmark": "npx tsx ./test/load/scripts/account.ts"
+    "test:load:benchmark": "npx tsx ./test/load/scripts/account.ts",
+    "test:unit": "jest"
   },
   "dependencies": {
     "@aws-sdk/client-kms": "^3.398.0",
@@ -78,6 +79,7 @@
     "@types/cookie": "^0.5.1",
     "@types/crypto-js": "^4.1.2",
     "@types/express": "^4.17.17",
+    "@types/jest": "^29.5.11",
     "@types/node": "^18.15.4",
     "@types/node-cron": "^3.0.8",
     "@types/pg": "^8.6.6",
@@ -93,11 +95,13 @@
     "eslint": "^8.36.0",
     "eslint-config-prettier": "^8.7.0",
     "hardhat": "^2.1.2",
+    "jest": "^29.7.0",
     "nodemon": "^2.0.21",
     "openapi-typescript-codegen": "^0.25.0",
     "prettier": "^2.8.7",
     "prompts": "^2.4.2",
     "supertest": "^6.3.3",
+    "ts-jest": "^29.1.1",
     "ts-node": "^10.9.1",
     "typescript": "^5.1.3"
   },

src/server/middleware/cors.ts

@@ -5,25 +5,33 @@ import { env } from "../../utils/env";
 export const withCors = async (server: FastifyInstance) => {
   const originArray = env.ACCESS_CONTROL_ALLOW_ORIGIN.split(",") as string[];
   await server.register(fastifyCors, {
-    origin: originArray.map((data) => {
-      if (data.startsWith("/") && data.endsWith("/")) {
-        return new RegExp(data.slice(1, -1));
-      }
+    origin: originArray.map(sanitizeOrigin),
+    credentials: true,
+  });
+};
 
-      if (data.startsWith("*.")) {
-        const regex = data.replace("*.", ".*.");
-        return new RegExp(regex);
-      }
+export const sanitizeOrigin = (data: string): string | RegExp => {
+  if (data.startsWith("/") && data.endsWith("/")) {
+    return new RegExp(data.slice(1, -1));
+  }
 
-      if (data.includes("thirdweb-preview.com")) {
-        return new RegExp(/^https?:\/\/.*\.thirdweb-preview\.com$/);
-      }
-      if (data.includes("thirdweb-dev.com")) {
-        return new RegExp(/^https?:\/\/.*\.thirdweb-dev\.com$/);
-      }
+  if (data.startsWith("*.")) {
+    const regex = data.replace("*.", ".*.");
+    return new RegExp(regex);
+  }
 
-      return data;
-    }),
-    credentials: true,
-  });
+  if (data.includes("thirdweb-preview.com")) {
+    return new RegExp(/^https?:\/\/.*\.thirdweb-preview\.com$/);
+  }
+  if (data.includes("thirdweb-dev.com")) {
+    return new RegExp(/^https?:\/\/.*\.thirdweb-dev\.com$/);
+  }
+
+  // Remove trailing slashes.
+  // The origin header does not include a trailing slash.
+  if (data.endsWith("/")) {
+    return data.slice(0, -1);
+  }
+
+  return data;
 };

src/tests/cors.test.ts

@@ -0,0 +1,24 @@
+import { sanitizeOrigin } from "../server/middleware/cors";
+
+describe("sanitizeOrigin", () => {
+  it("with leading and trailing slashes", () => {
+    expect(sanitizeOrigin("/foobar/")).toEqual(RegExp("foobar"));
+  });
+  it("with leading wildcard", () => {
+    expect(sanitizeOrigin("*.foobar.com")).toEqual(RegExp(".*.foobar.com"));
+  });
+  it("with thirdweb domains", () => {
+    expect(sanitizeOrigin("https://thirdweb-preview.com")).toEqual(
+      new RegExp(/^https?:\/\/.*\.thirdweb-preview\.com$/),
+    );
+    expect(sanitizeOrigin("https://thirdweb-dev.com")).toEqual(
+      new RegExp(/^https?:\/\/.*\.thirdweb-dev\.com$/),
+    );
+  });
+  it("with trailing slashes", () => {
+    expect(sanitizeOrigin("https://foobar.com/")).toEqual("https://foobar.com");
+  });
+  it("fallback: don't change origin", () => {
+    expect(sanitizeOrigin("https://foobar.com")).toEqual("https://foobar.com");
+  });
+});

src/utils/env.ts

@@ -45,7 +45,7 @@ const boolSchema = (defaultBool: "true" | "false") =>
 export const env = createEnv({
   server: {
     NODE_ENV: z
-      .enum(["production", "development", "testing", "local"])
+      .enum(["production", "development", "test", "local"])
       .default("development"),
     LOG_LEVEL: z
       .enum(["fatal", "error", "warn", "info", "debug", "trace"])