aaronrene / knowtation public
check-gateway-cors.mjs
56 lines 1.7 KB
Raw
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor ⚠ breaking 3 days ago
1 #!/usr/bin/env node
2 /**
3 * OPTIONS preflight probe against the hosted gateway (no JWT).
4 * Confirms Access-Control-Allow-Origin is not * together with Allow-Credentials: true.
5 *
6 * KNOWTATION_HUB_API=https://knowtation-gateway.netlify.app node scripts/check-gateway-cors.mjs
7 */
8
9 const apiBase = (process.env.KNOWTATION_HUB_API || 'https://knowtation-gateway.netlify.app').replace(/\/$/, '');
10 const origins = (process.env.KNOWTATION_CORS_TEST_ORIGINS ||
11 'https://knowtation.store,https://www.knowtation.store')
12 .split(',')
13 .map((s) => s.trim())
14 .filter(Boolean);
15
16 async function probe(origin) {
17 const url = `${apiBase}/api/v1/health`;
18 const res = await fetch(url, {
19 method: 'OPTIONS',
20 headers: {
21 Origin: origin,
22 'Access-Control-Request-Method': 'GET',
23 },
24 });
25 const ao = res.headers.get('access-control-allow-origin');
26 const ac = res.headers.get('access-control-allow-credentials');
27 return { status: res.status, allowOrigin: ao, allowCredentials: ac };
28 }
29
30 async function main() {
31 console.log('Gateway:', apiBase);
32 for (const origin of origins) {
33 try {
34 const r = await probe(origin);
35 const bad = r.allowOrigin === '*' && r.allowCredentials === 'true';
36 console.log(
37 origin,
38 '→',
39 r.status,
40 'Allow-Origin:',
41 r.allowOrigin || '(missing)',
42 'Allow-Credentials:',
43 r.allowCredentials || '(missing)',
44 bad ? '❌ INVALID (* + credentials)' : 'ok',
45 );
46 } catch (e) {
47 console.log(origin, '→ ERROR', e.message);
48 }
49 }
50 console.log('\nProduction: set Netlify HUB_CORS_ORIGIN to both apex and www (see hub/gateway/cors-middleware.mjs).');
51 }
52
53 main().catch((e) => {
54 console.error(e);
55 process.exit(1);
56 });
File History 2 commits
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor 3 days ago
sha256:9103f98c89257ed2b01c237cea895dabb3e85ea337dccb1161c175e4422355b6 docs: accept Calendar Events v0 spec with Phase 0 security … Human 3 days ago