n8n/packages/cli/src/middlewares/cors.ts

import { inDevelopment } from '@/constants';
import type { RequestHandler } from 'express';

export const corsMiddleware: RequestHandler = (req, res, next) => {
	if (inDevelopment && 'origin' in req.headers) {
		// Allow access also from frontend when developing
		res.header('Access-Control-Allow-Origin', req.headers.origin);
		res.header('Access-Control-Allow-Credentials', 'true');
		res.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');
		res.header(
			'Access-Control-Allow-Headers',
			'Origin, X-Requested-With, Content-Type, Accept, sessionid',
		);
	}
	next();
};
fix: Enable crash journal only in production mode (no-changelog) (#4948) * consolidate various `NODE_ENV` checks in the `cli` package * enable crash journal only in production 2022-12-16 06:27:49 -08:00			`import { inDevelopment } from '@/constants';`
fix: Upgrade sse-channel to mitigate CVE-2019-10744 (#4835) sse-channel 4 removed CORS support, that's why we need to handle CORS for `/push` ourselves now. 2022-12-07 06:13:36 -08:00			`import type { RequestHandler } from 'express';`

			`export const corsMiddleware: RequestHandler = (req, res, next) => {`
			`if (inDevelopment && 'origin' in req.headers) {`
			`// Allow access also from frontend when developing`
			`res.header('Access-Control-Allow-Origin', req.headers.origin);`
			`res.header('Access-Control-Allow-Credentials', 'true');`
			`res.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');`
			`res.header(`
			`'Access-Control-Allow-Headers',`
			`'Origin, X-Requested-With, Content-Type, Accept, sessionid',`
			`);`
			`}`
			`next();`
			`};`