refactor: use middleware to specify CORS policy for constrained anonymous API

Author: darcyYe

packages/core/src/middleware/koa-anonymous-cors.test.ts

@@ -0,0 +1,206 @@
+import { GlobalValues } from '@logto/shared';
+import { createMockUtils } from '@logto/shared/esm';
+import type { RequestMethod } from 'node-mocks-http';
+
+import createMockContext from '#src/test-utils/jest-koa-mocks/create-mock-context.js';
+
+const { jest } = import.meta;
+
+const { mockEsmWithActual } = createMockUtils(jest);
+
+await mockEsmWithActual('#src/env-set/index.js', () => ({
+  EnvSet: {
+    get values() {
+      return new GlobalValues();
+    },
+  },
+}));
+
+const {
+  default: koaAnonymousCors,
+  localDevelopmentOrigins,
+  productionDomainSuffixes,
+} = await import('./koa-anonymous-cors.js');
+
+// eslint-disable-next-line @typescript-eslint/no-empty-function
+const noop = async () => {};
+
+const mockContext = (method: RequestMethod, url: string, origin?: string) => {
+  const ctx = createMockContext({
+    method,
+    headers: { origin: origin ?? new URL(url).origin },
+  });
+
+  // Mock the path property
+  ctx.request.path = '/anonymous-api';
+
+  const setSpy = jest.spyOn(ctx, 'set');
+
+  return [ctx, setSpy] as const;
+};
+
+// Helper function to check if CORS headers are set properly
+// Following the pattern from koa-cors.test.ts - only check headers that are actually set by @koa/cors
+const expectCorsHeaders = (setSpy: jest.SpyInstance, origin: string, shouldHaveHeaders = true) => {
+  if (shouldHaveHeaders && origin) {
+    expect(setSpy).toHaveBeenCalledWith('Access-Control-Allow-Origin', origin);
+    // @koa/cors sets these headers automatically for actual CORS requests
+    // but we should check if they are called at all during the middleware execution
+    expect(setSpy).toHaveBeenCalled();
+  } else {
+    expect(setSpy).not.toHaveBeenCalledWith(
+      'Access-Control-Allow-Origin',
+      expect.stringMatching('.*')
+    );
+  }
+};
+
+describe('koaAnonymousCors() middleware', () => {
+  const envBackup = Object.freeze({ ...process.env });
+
+  afterEach(() => {
+    process.env = { ...envBackup };
+  });
+
+  describe('in development environment', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'development';
+    });
+
+    it('should allow localhost origins in development', async () => {
+      const allowedMethods = 'GET, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx1, setSpy1] = mockContext('GET', 'http://localhost:3000');
+      await run(ctx1, noop);
+      expectCorsHeaders(setSpy1, 'http://localhost:3000');
+
+      const [ctx2, setSpy2] = mockContext('GET', 'http://127.0.0.1:8080');
+      await run(ctx2, noop);
+      expectCorsHeaders(setSpy2, 'http://127.0.0.1:8080');
+    });
+
+    it('should allow .local domains in development', async () => {
+      const allowedMethods = 'POST, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx, setSpy] = mockContext('POST', 'http://test.local:3000');
+      await run(ctx, noop);
+      expectCorsHeaders(setSpy, 'http://test.local:3000');
+    });
+
+    it('should allow host.docker.internal in development', async () => {
+      const allowedMethods = 'GET, POST, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx, setSpy] = mockContext('GET', 'http://host.docker.internal:3000');
+      await run(ctx, noop);
+      expectCorsHeaders(setSpy, 'http://host.docker.internal:3000');
+    });
+
+    it('should reject non-allowed origins in development', async () => {
+      const allowedMethods = 'GET, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx] = mockContext('GET', 'https://malicious.com');
+
+      await expect(run(ctx, noop)).rejects.toThrow();
+    });
+  });
+
+  describe('in production environment', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+    });
+
+    it('should allow *.logto.io domains in production', async () => {
+      const allowedMethods = 'GET, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx1, setSpy1] = mockContext('GET', 'https://app.logto.io');
+      await run(ctx1, noop);
+      expectCorsHeaders(setSpy1, 'https://app.logto.io');
+
+      const [ctx2, setSpy2] = mockContext('GET', 'https://test.logto.io');
+      await run(ctx2, noop);
+      expectCorsHeaders(setSpy2, 'https://test.logto.io');
+    });
+
+    it('should allow *.logto.dev domains in production', async () => {
+      const allowedMethods = 'POST, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx, setSpy] = mockContext('POST', 'https://staging.logto.dev');
+      await run(ctx, noop);
+      expectCorsHeaders(setSpy, 'https://staging.logto.dev');
+    });
+
+    it('should reject localhost in production', async () => {
+      const allowedMethods = 'GET, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx] = mockContext('GET', 'http://localhost:3000');
+
+      await expect(run(ctx, noop)).rejects.toThrow();
+    });
+
+    it('should reject non-allowed domains in production', async () => {
+      const allowedMethods = 'GET, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx] = mockContext('GET', 'https://evil.com');
+
+      await expect(run(ctx, noop)).rejects.toThrow();
+    });
+  });
+
+  describe('in integration test environment', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production';
+      process.env.INTEGRATION_TEST = 'true';
+    });
+
+    it('should allow localhost in integration test even in production mode', async () => {
+      const allowedMethods = 'GET, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx, setSpy] = mockContext('GET', 'http://localhost:3000');
+      await run(ctx, noop);
+      expectCorsHeaders(setSpy, 'http://localhost:3000');
+    });
+  });
+
+  describe('OPTIONS request handling', () => {
+    it('should handle OPTIONS requests automatically with @koa/cors', async () => {
+      const allowedMethods = 'GET, POST, OPTIONS';
+      const run = koaAnonymousCors(allowedMethods);
+
+      const [ctx] = mockContext('OPTIONS', 'http://localhost:3000');
+
+      // @koa/cors handles OPTIONS requests automatically
+      // We just verify that the middleware runs without throwing errors
+      await expect(run(ctx, noop)).resolves.not.toThrow();
+    });
+  });
+
+  describe('exported constants', () => {
+    it('should export localDevelopmentOrigins', () => {
+      expect(localDevelopmentOrigins).toEqual([
+        'localhost',
+        '127.0.0.1',
+        '0.0.0.0',
+        '[::1]',
+        '.local',
+        'host.docker.internal',
+      ]);
+    });
+
+    it('should export productionDomainSuffixes', () => {
+      expect(productionDomainSuffixes).toEqual([
+        '.logto.io',
+        '.logto.dev',
+        '.logto-docs.pages.dev',
+      ]);
+    });
+  });
+});

packages/core/src/middleware/koa-anonymous-cors.ts

@@ -0,0 +1,110 @@
+import cors from '@koa/cors';
+import { ConsoleLog } from '@logto/shared';
+import chalk from 'chalk';
+import type { MiddlewareType } from 'koa';
+
+import { EnvSet } from '#src/env-set/index.js';
+import RequestError from '#src/errors/RequestError/index.js';
+
+/**
+ * @fileoverview Anonymous CORS middleware for Logto APIs
+ *
+ * This middleware provides strict CORS (Cross-Origin Resource Sharing) control for anonymous APIs
+ * that need to be accessible from specific Logto-related domains only. It implements a whitelist-based
+ * approach to ensure only trusted origins can access sensitive anonymous endpoints.
+ *
+ * **Use Cases:**
+ * - Other anonymous authentication endpoints
+ * - Public APIs that should only be accessible from Logto-hosted websites
+ * - Any anonymous endpoint requiring strict origin validation
+ *
+ * **Security Features:**
+ * - Strict domain whitelist enforcement
+ * - Development vs production environment handling
+ * - Integration test environment support
+ * - Automatic OPTIONS preflight request handling
+ *
+ * @see {@link koaCors} for general-purpose CORS handling with URL Sets
+ */
+
+const consoleLog = new ConsoleLog(chalk.magenta('anonymous-cors'));
+
+// List of allowed local development origins
+const localDevelopmentOrigins = [
+  'localhost', // Localhost with any port
+  '127.0.0.1', // IPv4 loopback
+  '0.0.0.0', // All interfaces
+  '[::1]', // IPv6 loopback
+  '.local', // MDNS domains (especially for macOS)
+  'host.docker.internal', // Docker host from container
+];
+
+// List of allowed production domain suffixes
+const productionDomainSuffixes = [
+  '.logto.io', // Production domain
+  '.logto.dev', // Development domain
+  ...(EnvSet.values.isDevFeaturesEnabled ? ['.logto-docs.pages.dev'] : []), // Logto Docs CI preview domain, for testing purposes
+];
+
+/**
+ * Anonymous CORS middleware factory
+ *
+ * Creates a Koa middleware that enforces strict CORS policies for anonymous APIs.
+ * This middleware is designed for endpoints that need to be accessible without authentication
+ * but should be restricted to specific trusted domains only.
+ *
+ * **Features:**
+ * - Automatic OPTIONS preflight request handling with 204 status
+ * - Strict origin validation against predefined whitelists
+ * - Environment-aware behavior (development vs production)
+ * - Detailed error responses for unauthorized origins
+ *
+ * **Usage Example:**
+ * ```typescript
+ * router.get('/anonymous-api', koaAnonymousCors('GET, OPTIONS'), async (ctx) => {
+ *   // Your anonymous API logic here
+ * });
+ * ```
+ *
+ * @param allowedMethods - Comma-separated string of allowed HTTP methods (e.g., 'GET, POST, OPTIONS')
+ * @returns Koa middleware function for handling anonymous CORS
+ *
+ * @throws {RequestError} 403 Forbidden when request origin is not in the whitelist
+ */
+export default function koaAnonymousCors<StateT, ContextT, ResponseBodyT>(
+  allowedMethods: string
+): MiddlewareType<StateT, ContextT, ResponseBodyT> {
+  return cors({
+    origin: (ctx) => {
+      const origin = ctx.get('origin');
+      const { isProduction, isIntegrationTest } = EnvSet.values;
+
+      // Only show debug logs in non-production environments
+      if (!isProduction) {
+        consoleLog.info(`origin: ${origin}`);
+        consoleLog.info(`isIntegrationTest: ${isIntegrationTest}`);
+      }
+
+      // Allow local development origins
+      if (
+        (!isProduction || isIntegrationTest) &&
+        localDevelopmentOrigins.some((item) => origin.includes(item))
+      ) {
+        return origin;
+      }
+
+      // In production, only allow *.logto.io or *.logto.dev domains to access
+      if (isProduction && productionDomainSuffixes.some((suffix) => origin.endsWith(suffix))) {
+        return origin;
+      }
+
+      // Throw error for unauthorized origins
+      throw new RequestError({ code: 'auth.forbidden', status: 403 });
+    },
+    allowMethods: allowedMethods.split(',').map((method) => method.trim()),
+    allowHeaders: ['Content-Type'],
+  });
+}
+
+// Export utilities for testing
+export { localDevelopmentOrigins, productionDomainSuffixes };

packages/core/src/middleware/koa-cors.ts

@@ -4,6 +4,75 @@ import type { MiddlewareType } from 'koa';
 
 import { EnvSet } from '#src/env-set/index.js';
 
+/**
+ * @fileoverview General-purpose CORS middleware for Logto APIs
+ *
+ * This middleware provides flexible CORS (Cross-Origin Resource Sharing) control for authenticated
+ * and general-purpose APIs. It uses configurable URL Sets to determine allowed origins and supports
+ * both strict and lenient policies based on environment and path configurations.
+ *
+ * **Use Cases:**
+ * - Management APIs with authentication
+ * - User APIs with authentication
+ * - General endpoints that need flexible origin control
+ * - APIs that serve multiple applications with different domains
+ * - Development APIs that need permissive CORS policies
+ *
+ * **Key Features:**
+ * - URL Set-based origin validation
+ * - Path-based allowlist for specific endpoints
+ * - Environment-aware policies (development vs production)
+ * - Automatic localhost filtering in production for security
+ * - Support for multiple endpoint configurations
+ *
+ * **Comparison with Anonymous CORS:**
+ * - This middleware: Flexible, URL Set-based, suitable for authenticated APIs
+ * - Anonymous CORS: Strict whitelist, domain suffix-based, for anonymous sensitive APIs
+ *
+ * @see {@link koaAnonymousCors} for strict anonymous API CORS handling
+ */
+
+/**
+ * General-purpose CORS middleware factory
+ *
+ * Creates a flexible Koa CORS middleware that can handle various origin validation scenarios.
+ * This middleware is built on top of @koa/cors and adds Logto-specific logic for URL Set
+ * validation and environment-based security policies.
+ *
+ * **Features:**
+ * - **URL Set Validation**: Validates origins against configured URL sets (admin, user, etc.)
+ * - **Path-based Allowlist**: Certain paths can allow any origin when specified in allowedPrefixes
+ * - **Environment Awareness**: More permissive in development, strict in production
+ * - **Localhost Protection**: Automatically filters localhost in production for security
+ * - **Multiple Endpoint Support**: Handles complex multi-domain scenarios
+ *
+ * **Usage Examples:**
+ * ```typescript
+ * // Basic usage with URL sets
+ * app.use(koaCors([adminUrlSet, userUrlSet]));
+ *
+ * // With allowed prefixes for public APIs
+ * app.use(koaCors([adminUrlSet], ['/api/public', '/health']));
+ * ```
+ *
+ * **Security Behavior:**
+ * - **Development**: Allows any origin for flexibility
+ * - **Production**: Strict validation against URL sets, blocks localhost
+ * - **Allowed Prefixes**: Override strict validation for specific paths
+ *
+ * @param urlSets - Array of UrlSet objects containing allowed origins
+ * @param allowedPrefixes - Optional array of path prefixes that allow any origin
+ * @returns Koa CORS middleware with Logto-specific origin validation
+ *
+ * @example
+ * ```typescript
+ * // For management APIs
+ * managementRouter.use(koaCors([adminUrlSet, cloudUrlSet]));
+ *
+ * // For APIs with public endpoints
+ * apiRouter.use(koaCors([userUrlSet], ['/account', '/verification']));
+ * ```
+ */
 export default function koaCors<StateT, ContextT, ResponseBodyT>(
   urlSets: UrlSet[],
   allowedPrefixes: string[] = []

packages/core/src/routes/google-one-tap/index.openapi.json

@@ -57,10 +57,8 @@
           "content": {
             "application/json": {
               "schema": {
-                "type": "object",
                 "properties": {
                   "idToken": {
-                    "type": "string",
                     "description": "The Google ID Token from Google One Tap"
                   }
                 }
@@ -74,23 +72,17 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "type": "object",
                   "properties": {
                     "oneTimeToken": {
-                      "type": "string",
                       "description": "The generated one-time token for authentication"
                     },
                     "isNewUser": {
-                      "type": "boolean",
                       "description": "Whether this is a new user (registration) or existing user (login)"
                     },
                     "email": {
-                      "type": "string",
-                      "format": "email",
                       "description": "The verified email address from the Google ID Token"
                     }
-                  },
-                  "required": ["oneTimeToken", "isNewUser", "email"]
+                  }
                 }
               }
             }

packages/core/src/routes/google-one-tap/index.ts

@@ -5,11 +5,11 @@
 import chalk from 'chalk';
 import { addSeconds } from 'date-fns';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
-import type { Context } from 'koa';
 import { z } from 'zod';
 
 import { EnvSet } from '#src/env-set/index.js';
 import RequestError from '#src/errors/RequestError/index.js';
+import koaAnonymousCors from '#src/middleware/koa-anonymous-cors.js';
 import type TenantContext from '#src/tenants/TenantContext.js';
 import type { LogtoConnector } from '#src/utils/connectors/types.js';
 
@@ -21,87 +21,32 @@
 // Default expiration time: 10 minutes.
 const defaultExpiresTime = 10 * 60;
 
-// List of allowed local development origins
-const localDevelopmentOrigins = [
-  'localhost', // Localhost with any port
-  '127.0.0.1', // IPv4 loopback
-  '0.0.0.0', // All interfaces
-  '[::1]', // IPv6 loopback
-  '.local', // MDNS domains (especially for macOS)
-  'host.docker.internal', // Docker host from container
-];
-
-// List of allowed production domain suffixes
-const productionDomainSuffixes = ['.logto.io', '.logto.dev'];
-
-/**
- * Check CORS origin and set appropriate headers
- */
-const setCorsHeaders = (ctx: Context, allowedMethods: string) => {
-  const origin = ctx.get('origin');
-
-  const { isProduction, isIntegrationTest } = EnvSet.values;
-
-  // Only show debug logs in non-production environments
-  if (!isProduction) {
-    consoleLog.info(`origin: ${origin}`);
-    consoleLog.info(`isIntegrationTest: ${isIntegrationTest}`);
-  }
-
-  // Allow local development origins
-  if (
-    (!isProduction || isIntegrationTest) &&
-    localDevelopmentOrigins.some((item) => origin.includes(item))
-  ) {
-    ctx.set('Access-Control-Allow-Origin', origin);
-  }
-  // In production, only allow *.logto.io or *.logto.dev domains to access
-  else if (isProduction && productionDomainSuffixes.some((suffix) => origin.endsWith(suffix))) {
-    ctx.set('Access-Control-Allow-Origin', origin);
-  } else {
-    throw new RequestError({ code: 'auth.forbidden', status: 403 });
-  }
-
-  ctx.set('Access-Control-Allow-Methods', allowedMethods);
-  ctx.set('Access-Control-Allow-Headers', 'Content-Type');
-};
-
-/**
- * Handle OPTIONS preflight requests
- */
-const handleOptionsRequest = async (ctx: Context, next: () => Promise<void>) => {
-  if (ctx.method === 'OPTIONS') {
-    ctx.status = 204;
-    return next();
-  }
-};
-
 /**
  * Get and validate Google One Tap connector configuration
  */
 const getGoogleOneTapConnector = async (getLogtoConnectors: () => Promise<LogtoConnector[]>) => {
   const connectors = await getLogtoConnectors();
   const googleOneTapConnector = connectors.find(
     (connector) =>
       connector.type === ConnectorType.Social && connector.metadata.id === GoogleConnector.factoryId
   );
 
   if (!googleOneTapConnector) {
     throw new RequestError({ code: 'connector.not_found', status: 404 });
   }
 
   const configResult = GoogleConnector.configGuard.safeParse(googleOneTapConnector.dbEntry.config);
 
   if (!configResult.success) {
     throw new RequestError({
       code: 'connector.invalid_config',
       status: 400,
       details: configResult.error.flatten(),
     });
   }
 
   return { connector: googleOneTapConnector, config: configResult.data };
 };
 
 export default function googleOneTapRoutes<T extends AnonymousRouter>(
   router: T,
@@ -121,6 +66,7 @@
 
   router.get(
     '/google-one-tap/config',
+    koaAnonymousCors('GET'),
     koaGuard({
       status: [200, 204, 400, 403, 404],
       response: GoogleConnector.configGuard
@@ -131,22 +77,19 @@
         .optional(),
     }),
     async (ctx, next) => {
-      setCorsHeaders(ctx, 'GET, OPTIONS');
-
-      await handleOptionsRequest(ctx, next);
-
       const {
         config: { clientId, oneTap },
       } = await getGoogleOneTapConnector(getLogtoConnectors);
 
       ctx.status = 200;
       ctx.body = { clientId, oneTap };
       return next();
     }
   );
 
   router.post(
     '/google-one-tap/verify',
+    koaAnonymousCors('POST'),
     koaGuard({
       body: z.object({
         idToken: z.string(),
@@ -159,74 +102,70 @@
       status: [200, 204, 400, 403, 404],
     }),
     async (ctx, next) => {
-      setCorsHeaders(ctx, 'POST, OPTIONS');
-
-      await handleOptionsRequest(ctx, next);
-
       const { idToken } = ctx.guard.body;
 
       const {
         config: { clientId },
       } = await getGoogleOneTapConnector(getLogtoConnectors);
 
       // Verify Google ID Token
       const { payload } = await tryThat(
         async () =>
           jwtVerify(idToken, createRemoteJWKSet(new URL(GoogleConnector.jwksUri)), {
             issuer: GoogleConnector.issuer,
             audience: clientId,
             clockTolerance: 10,
           }),
         (error) => {
           throw new RequestError({
             code: 'session.google_one_tap.invalid_id_token',
             status: 400,
             details: error,
           });
         }
       );
 
       const { sub: googleUserId, email, email_verified } = payload;
 
       if (!email || !email_verified) {
         throw new RequestError({
           code: 'session.google_one_tap.unverified_email',
           status: 400,
         });
       }
 
       // Check if user exists with this Google identity
       const existingUser = await findUserByIdentity(GoogleConnector.target, String(googleUserId));
       const isNewUser = !existingUser;
 
       // Create one-time token with appropriate context
       const expiresAt = addSeconds(new Date(), defaultExpiresTime);
       const oneTimeToken = await insertOneTimeToken({
         id: generateStandardId(),
         email: String(email),
         token: generateStandardSecret(),
         expiresAt: expiresAt.getTime(),
         context: {
           // Add jitOrganizationIds if this is for registration
           ...(isNewUser && { jitOrganizationIds: [] }),
         },
       });
 
       // Clean up any expired tokens for this email
       await trySafe(
         async () => updateExpiredOneTimeTokensStatusByEmail(String(email)),
         (error) => {
           consoleLog.error('Failed to clean up expired tokens:', error);
         }
       );
 
       ctx.status = 200;
       ctx.body = {
         oneTimeToken: oneTimeToken.token,
         isNewUser,
         email: String(email),
       };
 
       return next();
     }
   );

packages/toolkit/connector-kit/src/types/social.ts

@@ -131,6 +131,7 @@ export const GoogleConnector = Object.freeze({
   target: 'google',
   /** The factory ID of the official Google connector. */
   factoryId: 'google-universal',
+  // TODO: update google connector as well, keep it unchanged for now since it's out of scope.
   /**
    * The URI of the Google JWKS. Used to verify the Google-issued JWT.
    * @see {@link https://developers.google.com/identity/gsi/web/guides/verify-google-id-token | Verify the Google ID token on your server side}