From cdaf59c8e367578baf89e0b5f214073254d7d66a Mon Sep 17 00:00:00 2001
From: Kristian Freeman <kristian@kristianfreeman.com>
Date: Mon, 19 Aug 2019 11:41:29 -0500
Subject: [PATCH] Initial code spike towards fixing CORS headers

---
 src/index.js         | 8 +++++++-
 src/utils/setCors.js | 9 +++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 src/utils/setCors.js

diff --git a/src/index.js b/src/index.js
index d3edb63..963b270 100644
--- a/src/index.js
+++ b/src/index.js
@@ -1,5 +1,6 @@
 const apollo = require('./handlers/apollo')
 const playground = require('./handlers/playground')
+const setCors = require('./utils/setCors')
 
 const graphQLOptions = {
   // Set the path for the GraphQL server
@@ -17,7 +18,12 @@ const handleRequest = request => {
   const url = new URL(request.url)
   try {
     if (url.pathname === graphQLOptions.baseEndpoint) {
-      return apollo(request, graphQLOptions)
+      const response =
+        request.method === 'OPTIONS'
+          ? new Response('', { status: 204 })
+          : await apollo(request, graphQLOptions)
+      setCorsHeaders(response)
+      return response
     } else if (
       graphQLOptions.playgroundEndpoint &&
       url.pathname === graphQLOptions.playgroundEndpoint
diff --git a/src/utils/setCors.js b/src/utils/setCors.js
new file mode 100644
index 0000000..6ea5a72
--- /dev/null
+++ b/src/utils/setCors.js
@@ -0,0 +1,9 @@
+const setCorsHeaders = response => {
+  response.headers.set('Access-Control-Allow-Origin', '*')
+  response.headers.set('Access-Control-Allow-Credentials', 'true')
+  response.headers.set('Access-Control-Allow-Methods', 'GET,POST')
+  response.headers.set('Access-Control-Allow-Headers', 'application/json, Content-type')
+  response.headers.set('X-Content-Type-Options', 'nosniff')
+}
+
+module.exports = setCorsHeaders