From b4b0f832cf9baabad6e0c9b6d8e5f672c2553da6 Mon Sep 17 00:00:00 2001
From: Peter Somogyvari <peter.somogyvari@accenture.com>
Date: Thu, 14 May 2020 12:58:32 -0700
Subject: [PATCH] feat(api-server): CORS supports wildcard

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
---
 packages/bif-cmd-api-server/src/main/typescript/api-server.ts | 3 ++-
 .../src/main/typescript/config/config-service.ts              | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/packages/bif-cmd-api-server/src/main/typescript/api-server.ts b/packages/bif-cmd-api-server/src/main/typescript/api-server.ts
index 78f8855be1..16ad49f822 100644
--- a/packages/bif-cmd-api-server/src/main/typescript/api-server.ts
+++ b/packages/bif-cmd-api-server/src/main/typescript/api-server.ts
@@ -110,10 +110,11 @@ export class ApiServer {
   createCorsMiddleware(): RequestHandler {
     const apiCorsDomainCsv = this.options.config.get('apiCorsDomainCsv');
     const allowedDomains = apiCorsDomainCsv.split(',');
+    const allDomainsAllowed = allowedDomains.includes('*');
 
     const corsOptions: CorsOptions = {
       origin: (origin: string | undefined, callback) => {
-        if (origin && allowedDomains.indexOf(origin) !== -1) {
+        if (allDomainsAllowed || origin && allowedDomains.indexOf(origin) !== -1) {
           callback(null, true);
         } else {
           callback(new Error(`CORS not allowed for Origin "${origin}".`));
diff --git a/packages/bif-cmd-api-server/src/main/typescript/config/config-service.ts b/packages/bif-cmd-api-server/src/main/typescript/config/config-service.ts
index 0eff364409..6d111cc48a 100644
--- a/packages/bif-cmd-api-server/src/main/typescript/config/config-service.ts
+++ b/packages/bif-cmd-api-server/src/main/typescript/config/config-service.ts
@@ -100,7 +100,9 @@ export class ConfigService {
         default: 4000,
       },
       apiCorsDomainCsv: {
-        doc: 'The Comma seperated list of domains to allow Cross Origin Resource Sharing from when serving API requests.',
+        doc: 'The Comma seperated list of domains to allow Cross Origin Resource Sharing from when ' +
+          'serving API requests. The wildcard (*) character is supported to allow CORS for any and all domains, ' +
+          'however using it is not recommended unless you are developing or demonstrating something with BIF.',
         format: '*',
         env: 'API_CORS_DOMAIN_CSV',
         arg: 'api-cors-domain-csv',