From 0f6b92617c23cd1ad5f575f10339eb2a2305e059 Mon Sep 17 00:00:00 2001
From: Matthias Kretschmann <m@kretschmann.io>
Date: Fri, 22 Jun 2018 13:05:58 +0200
Subject: [PATCH] lock down with CORS

---
 webtask-zoho.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/webtask-zoho.js b/webtask-zoho.js
index 6b80287..8cc0f77 100644
--- a/webtask-zoho.js
+++ b/webtask-zoho.js
@@ -6,10 +6,18 @@ const request = require('request')
 
 const server = express()
 
-server.use(cors())
 server.listen(4430)
 server.use(bodyParser.json())
 
+//
+// Allow requests from these domains only
+//
+const corsOptions = {
+    origin: ['https://oceanprotocol.com', /\.oceanprotocol\.com$/],
+    optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204
+}
+server.use(cors(corsOptions))
+
 //
 // Zoho APIs
 //
@@ -20,6 +28,8 @@ const sendRequest = (options, res) => {
     request(options, (error, response, body) => {
         if (error) res.send(error)
 
+        // just pass through whatever we get from the APIs
+        // as the response
         res.send(body)
         res.sendStatus(response.statusCode)
     })