From a4bc5fa0df89d6cf14204291b5fac1505828af4e Mon Sep 17 00:00:00 2001
From: Manav Rathi <manav@mrmr.io>
Date: Sun, 16 Jun 2024 20:49:37 +0530
Subject: [PATCH] OPTIONS

---
 infra/workers/uploader/src/index.ts | 51 +++++++++++++++++++++++++++--
 1 file changed, 49 insertions(+), 2 deletions(-)

diff --git a/infra/workers/uploader/src/index.ts b/infra/workers/uploader/src/index.ts
index e1a90df9d8..9dd2a073f6 100644
--- a/infra/workers/uploader/src/index.ts
+++ b/infra/workers/uploader/src/index.ts
@@ -7,8 +7,8 @@
 export default {
     async fetch(request: Request) {
         switch (request.method) {
-            // case "OPTIONS":
-            //     return handleOPTIONS(request);
+            case "OPTIONS":
+                return handleOPTIONS(request);
             // case "GET":
             //     return handleGET(request);
             default:
@@ -17,3 +17,50 @@ export default {
         }
     },
 } satisfies ExportedHandler;
+
+const handleOPTIONS = (request: Request) => {
+    const origin = request.headers.get("Origin");
+    if (!isAllowedOrigin(origin)) console.warn("Unknown origin", origin);
+    const headers = request.headers.get("Access-Control-Request-Headers");
+    if (!areAllowedHeaders(headers))
+        console.warn("Unknown header in list", headers);
+    return new Response("", {
+        headers: {
+            "Access-Control-Allow-Origin": "*",
+            "Access-Control-Allow-Methods": "POST, PUT, OPTIONS",
+            "Access-Control-Max-Age": "86400",
+            // "Access-Control-Allow-Headers": "X-Auth-Token, X-Client-Package",
+            "Access-Control-Allow-Headers": "*",
+            "Access-Control-Expose-Headers": "X-Request-ID, CF-Ray",
+        },
+    });
+};
+
+const isAllowedOrigin = (origin: string | null) => {
+    const desktopApp = "ente://app";
+    const allowedHostnames = [
+        "web.ente.io",
+        "photos.ente.io",
+        "photos.ente.sh",
+        "localhost",
+    ];
+
+    if (!origin) return false;
+    try {
+        const url = new URL(origin);
+        return origin == desktopApp || allowedHostnames.includes(url.hostname);
+    } catch {
+        // origin is likely an invalid URL
+        return false;
+    }
+};
+
+const areAllowedHeaders = (headers: string | null) => {
+    const allowed = ["x-auth-token", "x-client-package"];
+
+    if (!headers) return true;
+    for (const header of headers.split(",")) {
+        if (!allowed.includes(header.trim().toLowerCase())) return false;
+    }
+    return true;
+};