From 73021d1f898286486239ff286f80e8afc620f9e8 Mon Sep 17 00:00:00 2001
From: Murtaza Patrawala <34130764+murtaza98@users.noreply.github.com>
Date: Mon, 24 May 2021 14:51:16 +0530
Subject: [PATCH 1/4] [FIX] CORS error while interacting with any action button
 on Livechat

---
 app/apps/server/communication/uikit.js | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/app/apps/server/communication/uikit.js b/app/apps/server/communication/uikit.js
index 3010447e93051..ceb3c247a8b4b 100644
--- a/app/apps/server/communication/uikit.js
+++ b/app/apps/server/communication/uikit.js
@@ -1,4 +1,5 @@
 import express from 'express';
+import cors from 'cors';
 import rateLimit from 'express-rate-limit';
 import { Meteor } from 'meteor/meteor';
 import { WebApp } from 'meteor/webapp';
@@ -14,6 +15,25 @@ const apiServer = express();
 
 apiServer.disable('x-powered-by');
 
+let corsEnabled = false;
+let allowListOrigins = [];
+
+settings.get('API_Enable_CORS', (_, value) => { corsEnabled = value; });
+
+settings.get('API_CORS_Origin', (_, value) => {
+	allowListOrigins = value ? value.trim().split(',').map((origin) => String(origin).trim().toLocaleLowerCase()) : [];
+});
+
+apiServer.use(cors({
+	origin: (origin, callback) => {
+		if (!origin || !corsEnabled || (corsEnabled && (allowListOrigins.includes('*') || allowListOrigins.includes(origin))) || origin === settings.get('Site_Url')) {
+			callback(null, true);
+		} else {
+			callback('Not allowed by CORS', false);
+		}
+	},
+}));
+
 WebApp.connectHandlers.use(apiServer);
 
 // eslint-disable-next-line new-cap

From c5968d2f5c83de059793847bb5d8124d752a8ba2 Mon Sep 17 00:00:00 2001
From: Murtaza Patrawala <34130764+murtaza98@users.noreply.github.com>
Date: Mon, 24 May 2021 14:53:45 +0530
Subject: [PATCH 2/4] remove unnecessary condition check

---
 app/apps/server/communication/uikit.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/apps/server/communication/uikit.js b/app/apps/server/communication/uikit.js
index ceb3c247a8b4b..f157ef1f2619e 100644
--- a/app/apps/server/communication/uikit.js
+++ b/app/apps/server/communication/uikit.js
@@ -26,7 +26,7 @@ settings.get('API_CORS_Origin', (_, value) => {
 
 apiServer.use(cors({
 	origin: (origin, callback) => {
-		if (!origin || !corsEnabled || (corsEnabled && (allowListOrigins.includes('*') || allowListOrigins.includes(origin))) || origin === settings.get('Site_Url')) {
+		if (!origin || !corsEnabled || ((allowListOrigins.includes('*') || allowListOrigins.includes(origin))) || origin === settings.get('Site_Url')) {
 			callback(null, true);
 		} else {
 			callback('Not allowed by CORS', false);

From 2ccefb18e09e20a1a6000eea9bdbdaa9bf9ae019 Mon Sep 17 00:00:00 2001
From: Murtaza Patrawala <34130764+murtaza98@users.noreply.github.com>
Date: Mon, 24 May 2021 14:55:02 +0530
Subject: [PATCH 3/4] Remove unwanted brackets

---
 app/apps/server/communication/uikit.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/apps/server/communication/uikit.js b/app/apps/server/communication/uikit.js
index f157ef1f2619e..d444f554807e7 100644
--- a/app/apps/server/communication/uikit.js
+++ b/app/apps/server/communication/uikit.js
@@ -26,7 +26,7 @@ settings.get('API_CORS_Origin', (_, value) => {
 
 apiServer.use(cors({
 	origin: (origin, callback) => {
-		if (!origin || !corsEnabled || ((allowListOrigins.includes('*') || allowListOrigins.includes(origin))) || origin === settings.get('Site_Url')) {
+		if (!origin || !corsEnabled || (allowListOrigins.includes('*') || allowListOrigins.includes(origin)) || origin === settings.get('Site_Url')) {
 			callback(null, true);
 		} else {
 			callback('Not allowed by CORS', false);

From 131cd2c768f61db42b60003e675b688c97177f90 Mon Sep 17 00:00:00 2001
From: Murtaza Patrawala <34130764+murtaza98@users.noreply.github.com>
Date: Wed, 26 May 2021 00:00:08 +0530
Subject: [PATCH 4/4] Fix CORS disable not working

---
 app/apps/server/communication/uikit.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/apps/server/communication/uikit.js b/app/apps/server/communication/uikit.js
index d444f554807e7..4279f90afca31 100644
--- a/app/apps/server/communication/uikit.js
+++ b/app/apps/server/communication/uikit.js
@@ -24,15 +24,15 @@ settings.get('API_CORS_Origin', (_, value) => {
 	allowListOrigins = value ? value.trim().split(',').map((origin) => String(origin).trim().toLocaleLowerCase()) : [];
 });
 
-apiServer.use(cors({
+const corsOptions = {
 	origin: (origin, callback) => {
-		if (!origin || !corsEnabled || (allowListOrigins.includes('*') || allowListOrigins.includes(origin)) || origin === settings.get('Site_Url')) {
+		if (!origin || (corsEnabled && (allowListOrigins.includes('*') || allowListOrigins.includes(origin))) || origin === settings.get('Site_Url')) {
 			callback(null, true);
 		} else {
 			callback('Not allowed by CORS', false);
 		}
 	},
-}));
+};
 
 WebApp.connectHandlers.use(apiServer);
 
@@ -79,7 +79,7 @@ router.use((req, res, next) => {
 	next();
 });
 
-apiServer.use('/api/apps/ui.interaction/', router);
+apiServer.use('/api/apps/ui.interaction/', cors(corsOptions), router);
 
 const getPayloadForType = (type, req) => {
 	if (type === UIKitIncomingInteractionType.BLOCK) {