Add Rate limit headers to CORS (#618)

2019-09-27 09:52:51 +02:00 · 2019-09-27 09:52:51 +02:00 · e7eb2083f2
commit e7eb2083f2
parent 16a8187269
3 changed files with 46 additions and 10 deletions
--- a/NEWS.md
+++ b/NEWS.md
@ -22,6 +22,7 @@ Announcements:
 * Middlewarify query controller.
 * Set a hard limit on the size of the X-SQLAPI-Log header.
 * Update cartodb-psql to 0.14.0 and use the timeout parameter for pg.query.
+* Expose rate limit headers for CORS requests.

 ## 3.0.0
 Released 2019-02-22
--- a/app/middlewares/cors.js
+++ b/app/middlewares/cors.js
@ -1,15 +1,25 @@
 'use strict';

-module.exports = function cors(extraHeaders) {
-    return function(req, res, next) {
-        var baseHeaders = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization';
+module.exports = function cors(extraHeaders = []) {
+    return function (req, res, next) {
+        const headers = [
+            'X-Requested-With',
+            'X-Prototype-Version',
+            'X-CSRF-Token',
+            'Authorization',
+            ...extraHeaders
+        ];

-        if(extraHeaders) {
-            baseHeaders += ', ' + extraHeaders;
-        }
+        const exposedHeaders = [
+            'Carto-Rate-Limit-Limit',
+            'Carto-Rate-Limit-Remaining',
+            'Carto-Rate-Limit-Reset',
+            'Retry-After'
+        ];

        res.header('Access-Control-Allow-Origin', '*');
-        res.header('Access-Control-Allow-Headers', baseHeaders);
+        res.header('Access-Control-Allow-Headers', headers.join(', '));
+        res.header('Access-Control-Expose-Headers', exposedHeaders.join(', '));

        next();
    };
--- a/test/acceptance/app-configuration.js
+++ b/test/acceptance/app-configuration.js
@ -5,6 +5,19 @@ require('../helper');
 var server = require('../../app/server')();
 var assert = require('../support/assert');

+const accessControlHeaders = [
+    'X-Requested-With',
+    'X-Prototype-Version',
+    'X-CSRF-Token',
+    'Authorization'
+].join(', ');
+
+const exposedHeaders = [
+    'Carto-Rate-Limit-Limit',
+    'Carto-Rate-Limit-Remaining',
+    'Carto-Rate-Limit-Reset',
+    'Retry-After'
+].join(', ');

 describe('app-configuration', function() {

@ -61,7 +74,11 @@ describe('app-configuration', function() {
        }, RESPONSE_OK, function(err, res) {
            assert.equal(
                res.headers['access-control-allow-headers'],
-                'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization'
+                accessControlHeaders
+            );
+            assert.equal(
+                res.headers['access-control-expose-headers'],
+                exposedHeaders
            );
            assert.equal(res.headers['access-control-allow-origin'], '*');
            done();
@ -78,7 +95,11 @@ describe('app-configuration', function() {
            assert.equal(res.body, '');
            assert.equal(
                res.headers['access-control-allow-headers'],
-                'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization'
+                accessControlHeaders
+            );
+            assert.equal(
+                res.headers['access-control-expose-headers'],
+                exposedHeaders
            );
            assert.equal(res.headers['access-control-allow-origin'], '*');
            done();
@ -160,7 +181,11 @@ describe('app-configuration', function() {
            assert.equal(res.headers['access-control-allow-origin'], '*');
            assert.equal(
                res.headers['access-control-allow-headers'],
-                "X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization"
+                accessControlHeaders
+            );
+            assert.equal(
+                res.headers['access-control-expose-headers'],
+                exposedHeaders
            );
            done();
        });