Remove the abuse protection check since the service always validates …

sdk/web-pubsub/web-pubsub-express/CHANGELOG.md

@@ -1,15 +1,11 @@
 # Release History
 
-## 1.0.5 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
-
-### Bugs Fixed
+## 1.0.5 (2023-06-28)
 
 ### Other Changes
 
+- Remove the abuse protection check since the service always validates the request
+
 ## 1.0.4 (2023-04-03)
 
 ### Bugs Fixed

sdk/web-pubsub/web-pubsub-express/src/cloudEventsDispatcher.ts

@@ -207,16 +207,16 @@ export class CloudEventsDispatcher {
     if (!isWebPubSubRequest(req)) {
       return false;
     }
-    const origin = utils.getHttpHeader(req, "webhook-request-origin")?.toLowerCase();
+    const origin = utils.getHttpHeader(req, "webhook-request-origin");
 
     if (origin === undefined) {
       logger.warning("Expecting webhook-request-origin header.");
       res.statusCode = 400;
-    } else if (this._allowAll || this._allowedOrigins.indexOf(origin!) > -1) {
-      res.setHeader("WebHook-Allowed-Origin", origin!);
+    } else if (this._allowAll) {
+      res.setHeader("WebHook-Allowed-Origin", "*");
     } else {
-      logger.warning("Origin does not match the allowed origins: " + this._allowedOrigins);
-      res.statusCode = 400;
+      // service to do the check
+      res.setHeader("WebHook-Allowed-Origin", this._allowedOrigins);
     }
 
     res.end();

sdk/web-pubsub/web-pubsub-express/test/validate.spec.ts

@@ -16,7 +16,7 @@ describe("Abuse protection works", function () {
     assert.isFalse(result);
   });
 
-  it("When allow all endpoints the requested host should return", function () {
+  it("When allow all endpoints return *", function () {
     const req = new IncomingMessage(new Socket());
     req.headers["ce-awpsversion"] = "1.0";
     req.headers["webhook-request-origin"] = "a.com";
@@ -25,10 +25,10 @@ describe("Abuse protection works", function () {
 
     const result = dispatcher.handlePreflight(req, res);
     assert.isTrue(result);
-    assert.equal("a.com", res.getHeader("webhook-allowed-origin"));
+    assert.equal("*", res.getHeader("webhook-allowed-origin"));
   });
 
-  it("Support valid url in allowed endpoints and only return the one in the request", function () {
+  it("Support valid url in allowed endpoints and return them", function () {
     const req = new IncomingMessage(new Socket());
     req.headers["ce-awpsversion"] = "1.0";
     req.headers["webhook-request-origin"] = "a.com";
@@ -39,10 +39,10 @@ describe("Abuse protection works", function () {
 
     const result = dispatcher.handlePreflight(req, res);
     assert.isTrue(result);
-    assert.equal("a.com", res.getHeader("webhook-allowed-origin"));
+    assert.sameMembers(["a.com", "b.com"], res.getHeader("webhook-allowed-origin") as string[]);
   });
 
-  it("Not allowed endpoints should return 400", function () {
+  it("Not allowed endpoints should return 200 and we reply on service to do the validation", function () {
     const req = new IncomingMessage(new Socket());
     req.headers["ce-awpsversion"] = "1.0";
     req.headers["webhook-request-origin"] = "a.com";
@@ -53,6 +53,6 @@ describe("Abuse protection works", function () {
 
     const result = dispatcher.handlePreflight(req, res);
     assert.isTrue(result);
-    assert.equal(400, res.statusCode);
+    assert.sameMembers(["c.com", "b.com"], res.getHeader("webhook-allowed-origin") as string[]);
   });
 });