From 734cb798d3c4bfae31db5d347e7dba481b925001 Mon Sep 17 00:00:00 2001
From: Manav Rathi <manav@mrmr.io>
Date: Sun, 16 Jun 2024 09:27:59 +0530
Subject: [PATCH] Handle options

Rewritten, but referencing the existing worker imported from the dashboard
---
 infra/workers/public-albums/src/index.ts | 54 +++++++++++++++++++++++-
 1 file changed, 53 insertions(+), 1 deletion(-)

diff --git a/infra/workers/public-albums/src/index.ts b/infra/workers/public-albums/src/index.ts
index 3b8d194cdc..0bf7ce7bbf 100644
--- a/infra/workers/public-albums/src/index.ts
+++ b/infra/workers/public-albums/src/index.ts
@@ -2,6 +2,58 @@
 
 export default {
     async fetch(request: Request) {
-        return new Response(null, { status: 405 });
+        switch (request.method) {
+            case "OPTIONS":
+                return handleOPTIONS(request);
+            case "GET":
+                return handleGET(request);
+            default:
+                console.log(`Unsupported HTTP method ${request.method}`);
+                return new Response(null, { status: 405 });
+        }
     },
 } satisfies ExportedHandler;
+
+const handleOPTIONS = (request: Request) => {
+    const origin = request.headers.get("Origin");
+    if (!isAllowedOrigin(origin)) console.warn("Unknown origin", origin);
+    const headers = request.headers.get("Access-Control-Request-Headers");
+    if (!areAllowedHeaders(headers))
+        console.warn("Unknown header in list", headers);
+    return new Response("", {
+        headers: {
+            "Access-Control-Allow-Origin": "*",
+            "Access-Control-Allow-Methods": "GET, OPTIONS",
+            "Access-Control-Max-Age": "86400",
+            // "Access-Control-Allow-Headers": "X-Auth-Access-Token, X-Auth-Access-Token-JWT",
+            "Access-Control-Allow-Headers": "*",
+        },
+    });
+};
+
+const isAllowedOrigin = (origin: string | null) => {
+    const allowed = ["albums.ente.io", "albums.ente.sh", "localhost"];
+
+    if (!origin) return false;
+    try {
+        const url = new URL(origin);
+        return allowed.includes(url.hostname);
+    } catch {
+        // origin is likely an invalid URL
+        return false;
+    }
+};
+
+const areAllowedHeaders = (headers: string | null) => {
+    const allowed = ["x-auth-access-token", "x-auth-access-token-jwt"];
+
+    if (!headers) return true;
+    for (const header of headers.split(",")) {
+        if (!allowed.includes(header.trim().toLowerCase())) return false;
+    }
+    return true;
+};
+
+const handleGET = async (request: Request) => {
+// TODO
+};