From 7a109d9deb05fb583578b9e2e7dfb2f62aca3673 Mon Sep 17 00:00:00 2001 From: Cristian Dominguez <6853656+cristiand391@users.noreply.github.com> Date: Fri, 22 Mar 2024 17:28:55 -0300 Subject: [PATCH] fix(auth-server): handle preflight requests (#1040) * fix(auth-server): handle preflight requests --- src/webOAuthServer.ts | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/webOAuthServer.ts b/src/webOAuthServer.ts index 88e8f4f91..b86563473 100644 --- a/src/webOAuthServer.ts +++ b/src/webOAuthServer.ts @@ -199,6 +199,12 @@ export class WebOAuthServer extends AsyncCreatable { const errMessage = messages.getMessage(errName, [url.pathname]); reject(new SfError(errMessage, errName)); } + } else if ( + request.method === 'OPTIONS' && + request.headers['access-control-request-private-network'] === 'true' && + request.headers['access-control-request-method'] + ) { + this.webServer.handlePreflightRequest(response); } else { this.webServer.sendError(405, 'Unsupported http methods', response); const errName = 'invalidRequestMethod'; @@ -399,6 +405,22 @@ export class WebServer extends AsyncCreatable { this.redirectStatus.emit('complete'); } + /** + * Preflight request: + * + * https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request + * https://www.w3.org/TR/2020/SPSD-cors-20200602/#resource-preflight-requests + */ + public handlePreflightRequest(response: http.ServerResponse): void { + // We don't validate the origin here because: + // 1. The default login URL (login.salesforce.com) will not match after a redirect or if user choose a custom domain in login. + // 2. There's no fixed list of auth URLs we could check against. + response.statusCode = 204; // No Content response + response.setHeader('Access-Control-Allow-Methods', 'GET'); + response.setHeader('Access-Control-Request-Headers', 'GET'); + response.end(); + } + public async handleSuccess(response: http.ServerResponse): Promise { return this.handleRedirect(response, '/OauthSuccess'); }