[英]How can I disable CORS for a single route in Express without rewriting all of my routes?
TLDR: In the example, I just want to make it so that /users/delete
cannot be called by anything outside of my React app. TLDR:在这个例子中,我只是想让/users/delete
不能被我的 React 应用程序之外的任何东西调用。
I have a bunch of routes for the backend API of my app that uses Express:我的应用程序使用 Express 的后端 API 有一堆路由:
app.get('/invoices/read', async (req, res) => {
// gather data from db
res.json({...data})
})
I have cors enabled globally like so:我在全球范围内启用了 cors,如下所示:
app.use(function(req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header(
'Access-Control-Allow-Headers',
'Origin, X-Requested-With, Content-Type, Accept'
);
next();
});
So, my question is, how would I disable CORS for a single route such as this所以,我的问题是,我将如何禁用 CORS 像这样的单一路线
app.post('/users/delete', async (req, res) => {
// delete user out of database
res.sendStatus(200)
})
without rewriting all of my routes to something like this:无需将我的所有路线都重写为以下内容:
var cors = require('cors');
app.get('/invoices/read', cors(), async (req, res) => {
// gather data from db
res.json({...data})
})
So that a user can't just make a POST request to /users/delete
using an arbitrary ID in an attempt to delete a user out of my system?这样用户就不能只使用任意 ID 向/users/delete
发出 POST 请求,以试图将用户从我的系统中删除?
Do I need to just include the origin in my headers or do I need to disable CORS for that route?我是否需要在我的标头中包含原点,还是需要为该路由禁用 CORS?
Access-Control-Allow-Origin
header.过去,我在使用Access-Control-Allow-Origin
header 让一系列来源工作时遇到了麻烦。One other solution I've found:我发现的另一种解决方案:
On the global invocation of app.use(cors())
, you can add the option preflightContinue: true
, and that should allow follow-up middleware on the specific page to override it.在app.use(cors())
的全局调用中,您可以添加选项preflightContinue: true
,这应该允许特定页面上的后续中间件覆盖它。
In the top-level config在顶级配置中
app.use(
cors({
origin: 'http://localhost:9001',
// Allow follow-up middleware to override this CORS for options
preflightContinue: true,
}),
);
In my specific route declaration在我的具体路线声明中
router.options('/myRoute', cors(myRouteOptions));
router.post(
'/myRoute',
cors(myRouteOptions),
async (req, res) => {
// ...
},
);
Override the header only on the route you want to "disable" it:仅在要“禁用”它的路线上覆盖 header:
res.set('Access-Control-Allow-Origin', 'alloweddomain.com')
If you need to allow more than one domain, you can make a list of allowed domains and check if the origin is included there:如果您需要允许多个域,您可以列出允许的域并检查源是否包含在其中:
const allowedDomains = ['allowedomain1.com', 'alloweddomain2.com'];
const origin = req.get('origin');
if (allowedDomains.includes(origin)) {
res.set('Access-Control-Allow-Origin', origin);
}
Using Express router and cors
module:使用 Express 路由器和cors
模块:
// Define the router
const v1 = express.Router();
// Initiate express app
const api = express();
const corsOptions = {
origin: '*',
methods: [],
allowedHeaders: [],
exposedHeaders: [],
credentials: true
};
// Define subroutes here
v1.get('/list', (req, res) => { // action implementation here})
// Define cors per route
v1.all('/list', cors(corsOptions));
// Add the router to express
api.use('/', v1);
Or using a cors middleware或使用 cors 中间件
v1.get('/list', cors(corsOptions), (req, res) => { // action implementation here})
Both should work, I hope this helps.两者都应该工作,我希望这会有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.