feat: add allowHeaders to Options

src/Config.js

@@ -73,6 +73,7 @@ export class Config {
     masterKeyIps,
     masterKey,
     readOnlyMasterKey,
+    allowHeaders,
   }) {
     if (masterKey === readOnlyMasterKey) {
       throw new Error('masterKey and readOnlyMasterKey should be different');
@@ -110,6 +111,8 @@ export class Config {
     this.validateMasterKeyIps(masterKeyIps);
 
     this.validateMaxLimit(maxLimit);
+
+    this.validateAllowHeaders(allowHeaders);
   }
 
   static validateAccountLockoutPolicy(accountLockout) {
@@ -254,6 +257,22 @@ export class Config {
     }
   }
 
+  static validateAllowHeaders(allowHeaders) {
+    if (![null, undefined].includes(allowHeaders)) {
+      if (Array.isArray(allowHeaders)) {
+        allowHeaders.forEach(header => {
+          if (typeof header !== 'string') {
+            throw 'Allow headers must only contain strings';
+          } else if (!header.trim().length) {
+            throw 'Allow headers must not contain empty strings';
+          }
+        });
+      } else {
+        throw 'Allow headers must be an array';
+      }
+    }
+  }
+
   generateEmailVerifyTokenExpiresAt() {
     if (!this.verifyUserEmails || !this.emailVerifyTokenValidityDuration) {
       return undefined;
@@ -328,9 +347,7 @@ export class Config {
   }
 
   get requestResetPasswordURL() {
-    return `${this.publicServerURL}/apps/${
-      this.applicationId
-    }/request_password_reset`;
+    return `${this.publicServerURL}/apps/${this.applicationId}/request_password_reset`;
   }
 
   get passwordResetSuccessURL() {

src/Options/index.js

@@ -26,6 +26,8 @@ export interface ParseServerOptions {
   masterKeyIps: ?(string[]);
   /* Sets the app name */
   appName: ?string;
+  /* Add headers to Access-Control-Allow-Headers */
+  allowHeaders: ?(string[]);
   /* Adapter module for the analytics */
   analyticsAdapter: ?Adapter<AnalyticsAdapter>;
   /* Adapter module for the files sub-system */

src/middlewares.js

@@ -5,16 +5,20 @@ import Config from './Config';
 import ClientSDK from './ClientSDK';
 import defaultLogger from './logger';
 
+const getMountForRequest = function(req) {
+  const mountPathLength = req.originalUrl.length - req.url.length;
+  const mountPath = req.originalUrl.slice(0, mountPathLength);
+  return req.protocol + '://' + req.get('host') + mountPath;
+};
+
 // Checks that the request is authorized for this app and checks user
 // auth too.
 // The bodyparser should run before this middleware.
 // Adds info to the request:
 // req.config - the Config for this app
 // req.auth - the Auth for this request
 export function handleParseHeaders(req, res, next) {
-  var mountPathLength = req.originalUrl.length - req.url.length;
-  var mountPath = req.originalUrl.slice(0, mountPathLength);
-  var mount = req.protocol + '://' + req.get('host') + mountPath;
+  var mount = getMountForRequest(req);
 
   var info = {
     appId: req.get('X-Parse-Application-Id'),
@@ -280,12 +284,17 @@ function decodeBase64(str) {
 }
 
 export function allowCrossDomain(req, res, next) {
+  const config = Config.get(
+    req.get('X-Parse-Application-Id', getMountForRequest(req))
+  );
+  let allowHeaders =
+    'X-Parse-Master-Key, X-Parse-REST-API-Key, X-Parse-Javascript-Key, X-Parse-Application-Id, X-Parse-Client-Version, X-Parse-Session-Token, X-Requested-With, X-Parse-Revocable-Session, Content-Type, Pragma, Cache-Control';
+  if (config && config.allowHeaders) {
+    allowHeaders += `, ${config.allowHeaders.join(', ')}`;
+  }
   res.header('Access-Control-Allow-Origin', '*');
   res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
-  res.header(
-    'Access-Control-Allow-Headers',
-    'X-Parse-Master-Key, X-Parse-REST-API-Key, X-Parse-Javascript-Key, X-Parse-Application-Id, X-Parse-Client-Version, X-Parse-Session-Token, X-Requested-With, X-Parse-Revocable-Session, Content-Type, Pragma, Cache-Control'
-  );
+  res.header('Access-Control-Allow-Headers', allowHeaders);
   res.header(
     'Access-Control-Expose-Headers',
     'X-Parse-Job-Status-Id, X-Parse-Push-Status-Id'