From 258fed0a70329dd03481de42e4bd80d9c36d5614 Mon Sep 17 00:00:00 2001
From: Froilan Irizarry <froilan@froilanirizarry.me>
Date: Tue, 18 Sep 2018 22:38:34 -0400
Subject: [PATCH 1/4] Added ALLOWED_DOMAINS to the CORS middleware. When
 failing client receives a 403

---
 app.js | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/app.js b/app.js
index 2399017f..bc8041c1 100644
--- a/app.js
+++ b/app.js
@@ -44,7 +44,17 @@ if( config.USE_RATE_LIMITER) {
 app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: false }));
 app.use(cookieParser());
-app.use(cors());
+app.use(cors({
+  origin: (origin, callback) => {
+    if(config.ALLOWED_DOMAINS.includes(origin) || config.ALLOWED_DOMAINS.includes('*')) {
+      callback(null, true);
+    } else {
+      let error = new Error('Not allowed by CORS');
+      error.status = 403;
+      callback(error);
+    }
+  }
+}));
 app.use(helmet());
 app.use(helmet.hsts({
   maxAge: config.HSTS_MAX_AGE,
@@ -88,12 +98,13 @@ app.use(function(req, res, next) {
 });
 
 app.use(function(err, req, res, next) {
-  res.status(err.status || 500);
   logger.error({req: req, res: res, err: err});
-  res.json({
-    message: err.message,
-    error: app.get('env') === 'development' ? err : {}
-  });
+  res
+    .status(err.status || 500)
+    .json({
+      message: err.message,
+      error: app.get('env') === 'development' ? err : {}
+    });
 });
 
 /* ------------------------------------------------------------------ *

From aa1c9d6c1b0c23ae37f75b4772a291623b7c837f Mon Sep 17 00:00:00 2001
From: Froilan Irizarry <froilan@froilanirizarry.me>
Date: Tue, 18 Sep 2018 22:39:44 -0400
Subject: [PATCH 2/4] Made idProd a config field to be used throughout the app
 - Added ALLOWED_DOMAINS for config object

---
 config/index.js | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/config/index.js b/config/index.js
index e91620be..63b24dff 100644
--- a/config/index.js
+++ b/config/index.js
@@ -77,19 +77,20 @@ function getSwaggerConf(isProd, apiUrl) {
  */
 function getConfig(env='development') {
   let config = {
-    prod_envs: ['prod', 'production', 'stag', 'staging']
+    prod_envs: ['prod', 'production']
   };
 
-  const isProd = config.prod_envs.includes(env);
   const cloudFoundryEnv = cfenv.getAppEnv();
 
+  config.isProd = config.prod_envs.includes(env);
+
   if(cloudFoundryEnv.isLocal) {
     dotenv.config(path.join(path.dirname(__dirname), '.env'));
   }
 
   config.LOGGER_LEVEL = process.env.LOGGER_LEVEL
     ? process.env.LOGGER_LEVEL
-    : isProd
+    : config.isProd
       ? 'INFO'
       : 'DEBUG';
 
@@ -111,7 +112,7 @@ function getConfig(env='development') {
     '2.0.0'
   ];
 
-  config.USE_HSTS = process.env.USE_HSTS ? process.env.USE_HSTS === 'true' : isProd;
+  config.USE_HSTS = process.env.USE_HSTS ? process.env.USE_HSTS === 'true' : config.isProd;
   config.HSTS_MAX_AGE = process.env.HSTS_MAX_AGE ? parseInt(process.env.HSTS_MAX_AGE) : 31536000;
   config.HSTS_PRELOAD = false;
   config.PORT = getPort(cloudFoundryEnv);
@@ -124,8 +125,9 @@ function getConfig(env='development') {
     : cloudFoundryEnv.app.uris
       ? `${cloudFoundryEnv.app.uris[0]}/api`
       : `0.0.0.0:${config.PORT}`;
-  config.SWAGGER_DOCUMENT = getSwaggerConf(isProd, apiUrl);
+  config.SWAGGER_DOCUMENT = getSwaggerConf(config.isProd, apiUrl);
 
+  config.ALLOWED_DOMAINS = config.isProd ? ['https://api.data.gov'] : ['*'];
   return config;
 }
 

From 09159c4c14c285ecf6ca714f4ce6bed5e1118c4c Mon Sep 17 00:00:00 2001
From: Froilan Irizarry <froilan@froilanirizarry.me>
Date: Tue, 18 Sep 2018 22:40:34 -0400
Subject: [PATCH 3/4] Changed prod environment validation to use isProd instead
 of prod_env array

---
 services/indexer/repo/AgencyJsonStream.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/indexer/repo/AgencyJsonStream.js b/services/indexer/repo/AgencyJsonStream.js
index cb2e005a..c0844a6a 100644
--- a/services/indexer/repo/AgencyJsonStream.js
+++ b/services/indexer/repo/AgencyJsonStream.js
@@ -55,7 +55,7 @@ class AgencyJsonStream extends Transform {
   async _getAgencyCodeJson(agency){
     logger.info('Entered _getAgencyCodeJson - Agency: ', agency.acronym);
 
-    if(this.config.prod_envs.includes(process.env.NODE_ENV)) {
+    if(this.config.isProd) {
       const errorMessage = 'FAILURE: There was an error fetching the code.json:';
       let response;
 

From 697e5c2430bafa886a6db3038d54dce8f6d4536c Mon Sep 17 00:00:00 2001
From: Froilan Irizarry <froilan@froilanirizarry.me>
Date: Tue, 18 Sep 2018 22:40:59 -0400
Subject: [PATCH 4/4] Fixed test for config object changes

---
 test/unit/services/indexer/repo/agencyJsonStream.test.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/unit/services/indexer/repo/agencyJsonStream.test.js b/test/unit/services/indexer/repo/agencyJsonStream.test.js
index a52f84a3..92e1df26 100644
--- a/test/unit/services/indexer/repo/agencyJsonStream.test.js
+++ b/test/unit/services/indexer/repo/agencyJsonStream.test.js
@@ -24,7 +24,7 @@ describe('AgencyJsonStream', function() {
     fetchDataDir = path.join(testDataDir, '/fetched');
     agency = JsonFile.readFileSync(path.join(testDataDir, 'test_agency_metadata.json'));
     agencyJsonStream = new AgencyJsonStream(fetchDataDir, fallbackDataDir, {
-      prod_envs: ['prod', 'production', 'stag', 'staging'],
+      isProd: false,
       supportedSchemaVersions: [
         '1.0.0',
         '1.0.1',