From e2e9e4e82687d0ceb745026049ef3479899cb0fd Mon Sep 17 00:00:00 2001
From: Ade Hery Shopyan <51158020+adeherysh@users.noreply.github.com>
Date: Thu, 25 Apr 2024 18:25:39 +0700
Subject: [PATCH] fix: request header secret (#104)

---
 .github/workflows/ci.yaml      | 17 ++++++++++-------
 .github/workflows/publish.yaml |  1 -
 CONTRIBUTING.md                | 16 +++++++++-------
 README.md                      | 26 ++++++++++++++------------
 commands/index.ts              |  6 +++---
 server.ts                      | 16 ++++++++++++----
 6 files changed, 48 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index bf7485f..fe6f62d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,15 +1,16 @@
 name: CI
 
 on:
+  push:
+    branches:
+      - main
   pull_request:
-    types: [assigned, unassigned, opened, synchronize, edited, ready_for_review, reopened]
     branches:
       - main
 
 jobs:
-  ci:
+  build:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false && !endsWith(github.actor, '[bot]') && github.actor != 'kitabisaengineer'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -22,14 +23,18 @@ jobs:
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
+      - name: Build package
+        run: bun run build
+
       - name: Run Danger JS
+        if: github.event_name == 'pull_request' && github.actor != 'kitabisaengineer' && !endsWith(github.actor, '[bot]')
         run: bun danger ci
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   semgrep:
-    needs: ci
     runs-on: ubuntu-latest
+    if: github.actor != 'kitabisaengineer' && !endsWith(github.actor, '[bot]')
     container:
       image: semgrep/semgrep
     steps:
@@ -37,6 +42,4 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Semgrep
-        run: semgrep ci
-        env:
-          SEMGREP_RULES: auto
+        run: semgrep scan --config auto
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index b07c12c..3f1766a 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -71,4 +71,3 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-          enable-url-completion: true
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c23360c..9f2d040 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -12,13 +12,15 @@
   Supple mock server with random fake data using <a href="https://github.com/faker-js/faker">Faker.js</a>
 </p>
 
-<!-- <p align="center">
-  <a href="https://github.com/kitabisa/cockpit/actions/workflows/deploy-stg-qurban.yaml"><img src="https://github.com/kitabisa/cockpit/actions/workflows/deploy-stg-qurban.yaml/badge.svg" alt="Deploy Stg Qurban" /></a>
-  <a href="https://github.com/kitabisa/cockpit/actions/workflows/deploy-stg-corin.yaml"><img src="https://github.com/kitabisa/cockpit/actions/workflows/deploy-stg-corin.yaml/badge.svg" alt="Deploy Stg Corin" /></a>
-  <!-- end of badges -->
-<!-- </p> -->
+<p align="center">
+  <a href="https://github.com/kitabisa/smockr/actions/workflows/ci.yaml"><img src="https://img.shields.io/github/actions/workflow/status/kitabisa/smockr/ci.yml?branch=main" alt="Build Status"></a>
+  <a href="https://www.npmjs.com/package/@kitabisa/smockr"><img src="https://img.shields.io/npm/dt/@kitabisa/smockr.svg" alt="NPM Downloads"></a>
+  <a href="https://hub.docker.com/r/kitabisa/smockr"><img src="https://img.shields.io/docker/pulls/kitabisa/smockr" alt="Docker Pull"></a>
+  <a href="https://github.com/kitabisa/smockr/releases"><img src="https://img.shields.io/github/v/release/kitabisa/smockr" alt="Latest Release"></a>
+  <a href="https://github.com/kitabisa/smockr/blob/main/LICENSE"><img src="https://img.shields.io/npm/l/@kitabisa/smockr.svg" alt="License"></a>
+</p>
 
-<!-- ------ -->
+------
 
 ## Features
 
@@ -56,7 +58,7 @@ Run in local:
 $ PORT=8080 \
 SECRET_KEY="" \
 ALLOWED_ORIGIN="*" \
-ALLOWED_METHODS="GET,HEAD,PUT,PATCH,POST,DELETE" \
+ALLOWED_METHODS="GET, HEAD, PUT, PATCH, POST, DELETE" \
 ALLOWED_HEADERS="*" \
 bun server.ts
 ```
diff --git a/README.md b/README.md
index 3362c54..4a6c461 100644
--- a/README.md
+++ b/README.md
@@ -12,13 +12,15 @@
   Supple mock server with random fake data using <a href="https://github.com/faker-js/faker">Faker.js</a>
 </p>
 
-<!-- <p align="center">
-  <a href="https://github.com/kitabisa/cockpit/actions/workflows/deploy-stg-qurban.yaml"><img src="https://github.com/kitabisa/cockpit/actions/workflows/deploy-stg-qurban.yaml/badge.svg" alt="Deploy Stg Qurban" /></a>
-  <a href="https://github.com/kitabisa/cockpit/actions/workflows/deploy-stg-corin.yaml"><img src="https://github.com/kitabisa/cockpit/actions/workflows/deploy-stg-corin.yaml/badge.svg" alt="Deploy Stg Corin" /></a>
-  <!-- end of badges -->
-<!-- </p> -->
+<p align="center">
+  <a href="https://github.com/kitabisa/smockr/actions/workflows/ci.yaml"><img src="https://img.shields.io/github/actions/workflow/status/kitabisa/smockr/ci.yml?branch=main" alt="Build Status"></a>
+  <a href="https://www.npmjs.com/package/@kitabisa/smockr"><img src="https://img.shields.io/npm/dt/@kitabisa/smockr.svg" alt="NPM Downloads"></a>
+  <a href="https://hub.docker.com/r/kitabisa/smockr"><img src="https://img.shields.io/docker/pulls/kitabisa/smockr" alt="Docker Pull"></a>
+  <a href="https://github.com/kitabisa/smockr/releases"><img src="https://img.shields.io/github/v/release/kitabisa/smockr" alt="Latest Release"></a>
+  <a href="https://github.com/kitabisa/smockr/blob/main/LICENSE"><img src="https://img.shields.io/npm/l/@kitabisa/smockr.svg" alt="License"></a>
+</p>
 
-<!-- ------ -->
+------
 
 ## Features
 
@@ -66,9 +68,9 @@ Running mock with custom params
 $ smockr \
 --port 3000 \
 --secret "mysecret" \
---allowOrigin "*.kitabisa.com,*.kitajaga.id" \
---allowMethods "GET,POST,PATCH" \
---allowHeaders "Content-Type,Authorization"
+--allowOrigin "*.kitabisa.com, *.kitajaga.id" \
+--allowMethods "GET, POST, PATCH" \
+--allowHeaders "Content-Type, Authorization"
 ```
 When you define `secret` as a parameter and is not empty string, the client request must be include `X-Smockr-Secret` header with the same value
 
@@ -98,9 +100,9 @@ Running mock with custom params
 ```
 $ docker run -p 3000:8080 --rm \
 -e SECRET_KEY="mysecret" \
--e ALLOWED_ORIGIN="*.kitabisa.com,*.kitajaga.id" \
--e ALLOWED_METHODS="GET,POST,PATCH" \
--e ALLOWED_HEADERS="Content-Type,Authorization" \
+-e ALLOWED_ORIGIN="*.kitabisa.com, *.kitajaga.id" \
+-e ALLOWED_METHODS="GET, POST, PATCH" \
+-e ALLOWED_HEADERS="Content-Type, Authorization" \
 kitabisa/smockr
 ```
 
diff --git a/commands/index.ts b/commands/index.ts
index 6e4a4d5..1624ac6 100644
--- a/commands/index.ts
+++ b/commands/index.ts
@@ -11,7 +11,7 @@ import path from 'path'
  * @param {number}   [port=8080] define port
  * @param {string}   [secret=""] define secret for client header X-Smockr-Secret
  * @param {string}   [allowOrigin="*"] define allow cors origin
- * @param {string}   [allowMethods="GET,HEAD,PUT,PATCH,POST,DELETE"] define allow cors methods
+ * @param {string}   [allowMethods="*"] define allow cors methods
  * @param {string}   [allowHeaders="*"] define allow cors headers
  */
 export default async function main(
@@ -30,7 +30,7 @@ export default async function main(
     })
   }
   if (allowMethods && allowMethods !== '*') {
-    const methods = ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE']
+    const methods = ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE', 'OPTIONS']
     allowMethods.split(',').map((method) => {
       if (!methods.includes(method.trim().toUpperCase())) {
         console.error(`${method.trim().toUpperCase()} is not valid http method`)
@@ -41,12 +41,12 @@ export default async function main(
   const server = path.resolve(__dirname, '../../bin/server.js')
   execSync(`bun ${server}`, {
     env: {
-      ...process.env,
       PORT: port?.toString(),
       SECRET_KEY: secret,
       ALLOWED_ORIGIN: allowOrigin,
       ALLOWED_METHODS: allowMethods,
       ALLOWED_HEADERS: allowHeaders,
+      NODE_ENV: process.env.NODE_ENV,
     },
     stdio: 'inherit',
   })
diff --git a/server.ts b/server.ts
index b89eaca..4b89051 100644
--- a/server.ts
+++ b/server.ts
@@ -9,12 +9,20 @@ const app = express()
 const dev = process.env.NODE_ENV !== 'production'
 const port = process.env.PORT || 8080
 const secret = process.env.SECRET_KEY || ''
-const allowOrigin = process.env.ALLOWED_ORIGIN || '*'
+const allowOrigin =
+  process.env.ALLOWED_ORIGIN && process.env.ALLOWED_ORIGIN !== '*'
+    ? process.env.ALLOWED_ORIGIN.replaceAll(' ', '').split(',').join(', ')
+    : '*'
 const allowMethods =
-  process.env.ALLOWED_METHODS || 'GET,HEAD,PUT,PATCH,POST,DELETE'
+  process.env.ALLOWED_METHODS && process.env.ALLOWED_METHODS !== '*'
+    ? process.env.ALLOWED_METHODS.replaceAll(' ', '')
+        .split(',')
+        .join(', ')
+        .toUpperCase()
+    : '*'
 const allowHeaders =
   process.env.ALLOWED_HEADERS && process.env.ALLOWED_HEADERS !== '*'
-    ? `${process.env.ALLOWED_HEADERS},X-Smockr-Secret`
+    ? `${process.env.ALLOWED_HEADERS?.replaceAll(' ', '').split(',').join(', ')}, X-Smockr-Secret`
     : '*'
 
 const corsOptions = cors({
@@ -45,7 +53,7 @@ app.get('/favicon.ico', (_req: Request, res: Response) => {
 })
 
 app.all('*', (req: Request, res: Response) => {
-  const clientSecret = req.headers['X-Smockr-Secret']
+  const clientSecret = req.headers['x-smockr-secret']
   const { mock }: any = req.query
   let body = mock?.response?.body
   let headers = mock?.response?.headers