ENG-758 Edge function stopped working, now needs CORS handling (#353)

* Add cors handling to test function

* better check for vercel preview

Author: maparent

apps/website/app/utils/llm/cors.ts

@@ -3,7 +3,7 @@ import { NextRequest } from "next/server";
 const allowedOrigins = ["https://roamresearch.com", "http://localhost:3000"];
 
 const isVercelPreviewUrl = (origin: string): boolean =>
-  origin.includes(".vercel.app") || origin.includes("discourse-graph");
+  /^https:\/\/.*-discourse-graph-[a-z0-9]+\.vercel\.app$/.test(origin);
 
 const isAllowedOrigin = (origin: string): boolean =>
   allowedOrigins.some((allowed) => origin.startsWith(allowed)) ||

package-lock.json

@@ -181,11 +181,34 @@ const processAndGetOrCreateSpace = async (
   return result;
 };
 
+// The following lines are duplicated from apps/website/app/utils/llm/cors.ts
+const allowedOrigins = ["https://roamresearch.com", "http://localhost:3000"];
+
+const isVercelPreviewUrl = (origin: string): boolean =>
+    /^https:\/\/.*-discourse-graph-[a-z0-9]+\.vercel\.app$/.test(origin)
+
+const isAllowedOrigin = (origin: string): boolean =>
+  allowedOrigins.some((allowed) => origin.startsWith(allowed)) ||
+  isVercelPreviewUrl(origin);
+
 // @ts-ignore Deno is not visible to the IDE
 Deno.serve(async (req) => {
+    const origin = req.headers.get("origin");
+    const originIsAllowed = origin && isAllowedOrigin(origin);
+    if (req.method === "OPTIONS") {
+      return new Response(null, {
+        status: 204,
+        headers: {
+          ...(originIsAllowed ? { "Access-Control-Allow-Origin": origin } : {}),
+          "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+          "Access-Control-Allow-Headers":
+            "Content-Type, Authorization, x-vercel-protection-bypass, x-client-info, apikey",
+          "Access-Control-Max-Age": "86400",
+        },
+      });
+    }
+
   const input = await req.json();
-  // TODO: We should check whether the request comes from a vetted source, like
-  // the roam or obsidian plugin. A combination of CSRF, headers, etc.
   // @ts-ignore Deno is not visible to the IDE
   const url = Deno.env.get("SUPABASE_URL");
   // @ts-ignore Deno is not visible to the IDE
@@ -207,9 +230,20 @@ Deno.serve(async (req) => {
     });
   }
 
-  return new Response(JSON.stringify(data), {
+  const res = new Response(JSON.stringify(data), {
     headers: { "Content-Type": "application/json" },
   });
+
+  if (originIsAllowed) {
+    res.headers.set("Access-Control-Allow-Origin", origin as string);
+    res.headers.set("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.headers.set(
+      "Access-Control-Allow-Headers",
+      "Content-Type, Authorization, x-vercel-protection-bypass, x-client-info, apikey",
+    );
+  }
+
+  return res;
 });
 
 /* To invoke locally:

packages/database/supabase/functions/create-space/index.ts

@@ -35,6 +35,7 @@
     "typescript": "5.5.4"
   },
   "dependencies": {
+    "@supabase/functions-js": "^2.4.5",
     "@supabase/supabase-js": "^2.52.0",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",