[IIIF-188] use * to avoid duplicated config property

FrancescoMolinaro · FrancescoMolinaro · commit 2aee6d2b7f83 · 2025-05-13T13:21:57.000+02:00
diff --git a/src/app/core/services/server-hard-redirect.service.spec.ts b/src/app/core/services/server-hard-redirect.service.spec.ts
@@ -17,6 +17,7 @@ describe('ServerHardRedirectService', () => {
 
   beforeEach(() => {
     mockRequest.protocol = 'https';
+    mockRequest.path = '/bitstreams/test-uuid/download';
     mockRequest.headers = {
       host: 'test-host.com:4000',
     };
@@ -92,4 +93,21 @@ describe('ServerHardRedirectService', () => {
     });
   });
 
+  describe('Should add cors header on download path', () => {
+    const redirect = 'https://private-url:4000/server/api/bitstreams/uuid';
+    const environmentWithSSRUrl: any = { ...environment, ...{ ...environment.rest, rest: {
+      ssrBaseUrl: 'https://private-url:4000/server',
+      baseUrl: 'https://public-url/server',
+    } } };
+    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse, serverResponseService);
+
+    beforeEach(() => {
+      service.redirect(redirect);
+    });
+
+    it('should set header', () => {
+      expect(serverResponseService.setHeader).toHaveBeenCalled();
+    });
+  });
+
 });
diff --git a/src/app/core/services/server-hard-redirect.service.ts b/src/app/core/services/server-hard-redirect.service.ts
@@ -59,9 +59,11 @@ export class ServerHardRedirectService extends HardRedirectService {
         status = 302;
       }
 
-      console.info(`Redirecting from ${this.req.url} to ${redirectUrl} with ${status}`);
+      if (this.req.path.endsWith('download')) {
+        this.setCorsHeader();
+      }
 
-      this.setCorsHeader();
+      console.info(`Redirecting from ${this.req.url} to ${redirectUrl} with ${status}`);
 
       this.res.redirect(status, redirectUrl);
       this.res.end();
@@ -89,15 +91,10 @@ export class ServerHardRedirectService extends HardRedirectService {
   }
 
   /**
-   * Set CORS header to allow embedding of redirected content
+   * Set CORS header to allow embedding of redirected content.
+   * The actual security header will be set by the rest
    */
   setCorsHeader() {
-    const currentOrigin = this.getCurrentOrigin();
-    const allowedOrigins = this.appConfig.rest.allowedOrigins;
-
-    if (currentOrigin && allowedOrigins?.length && allowedOrigins.includes(currentOrigin)) {
-      console.info('Setting cors header for origin ', currentOrigin);
-      this.responseService.setHeader('Access-Control-Allow-Origin', currentOrigin);
-    }
+    this.responseService.setHeader('Access-Control-Allow-Origin', '*');
   }
 }
