support either string or array for the allowOrigin option

Added a test for when an array is set as the allowOrigin value

Author: MarcDerhammer

spec/Middlewares.spec.js

@@ -287,7 +287,7 @@ describe('middlewares', () => {
     expect(headers['Access-Control-Allow-Origin']).toEqual('https://parseplatform.org/');
   });
 
-  it('should support multiple origins if several are defined in allowOrigin', () => {
+  it('should support multiple origins if several are defined in allowOrigin as a comma delimited string', () => {
     AppCache.put(fakeReq.body._ApplicationId, {
       allowOrigin: 'https://a.com,https://b.com,https://c.com',
     });
@@ -316,6 +316,35 @@ describe('middlewares', () => {
     expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com');
   });
 
+  it('should support multiple origins if several are defined in allowOrigin as an array', () => {
+    AppCache.put(fakeReq.body._ApplicationId, {
+      allowOrigin: ['https://a.com', 'https://b.com', 'https://c.com'],
+    });
+    const headers = {};
+    const res = {
+      header: (key, value) => {
+        headers[key] = value;
+      },
+    };
+    const allowCrossDomain = middlewares.allowCrossDomain(fakeReq.body._ApplicationId);
+    // Test with the first domain
+    fakeReq.headers.origin = 'https://a.com';
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com');
+    // Test with the second domain
+    fakeReq.headers.origin = 'https://b.com';
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual('https://b.com');
+    // Test with the third domain
+    fakeReq.headers.origin = 'https://c.com';
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual('https://c.com');
+    // Test with an unauthorized domain
+    fakeReq.headers.origin = 'https://unauthorized.com';
+    allowCrossDomain(fakeReq, res, () => {});
+    expect(headers['Access-Control-Allow-Origin']).toEqual('https://a.com');
+  });
+
   it('should use user provided on field userFromJWT', done => {
     AppCache.put(fakeReq.body._ApplicationId, {
       masterKey: 'masterKey',

src/Options/Definitions.js

@@ -82,7 +82,7 @@ module.exports.ParseServerOptions = {
   allowOrigin: {
     env: 'PARSE_SERVER_ALLOW_ORIGIN',
     help:
-      'Sets the origin to Access-Control-Allow-Origin. Can be comma delimited if multiple should be supported',
+      'Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple',
   },
   analyticsAdapter: {
     env: 'PARSE_SERVER_ANALYTICS_ADAPTER',

src/Options/docs.js

@@ -61,8 +61,8 @@ export interface ParseServerOptions {
   appName: ?string;
   /* Add headers to Access-Control-Allow-Headers */
   allowHeaders: ?(string[]);
-  /* Sets the origin to Access-Control-Allow-Origin. Can be comma delimited to support multiple */
-  allowOrigin: ?string;
+  /* Sets the origin to Access-Control-Allow-Origin. Can be a string for a single origin or a comma separated string or array for multiple */
+  allowOrigin: ?(string | string[]);
   /* Adapter module for the analytics */
   analyticsAdapter: ?Adapter<AnalyticsAdapter>;
   /* Adapter module for the files sub-system */

src/Options/index.js

@@ -386,10 +386,13 @@ export function allowCrossDomain(appId) {
     }
 
     // Support for multiple origins
-    const allowedOrigins =
-      config && config.allowOrigin
-        ? config.allowOrigin.split(',').map(domain => domain.trim())
-        : ['*'];
+    let allowedOrigins = config && config.allowOrigin ? config.allowOrigin : ['*'];
+
+    // Convert comma-separated string to an array if needed
+    if (typeof allowedOrigins === 'string') {
+      allowedOrigins = allowedOrigins.split(',').map(domain => domain.trim());
+    }
+
     const requestOrigin = req.headers.origin;
     const originToSet =
       requestOrigin && allowedOrigins.includes(requestOrigin) ? requestOrigin : allowedOrigins[0];