chore(release): publish new version

- @standardnotes/api-gateway@1.91.0 - @standardnotes/files-server@1.38.0 - @standardnotes/home-server@1.23.0
feat: add CORS_ORIGIN_STRICT_MODE_ENABLED env var to determine if CORS origin should be restricted
2026-05-06 15:57:28 -04:00 · 2024-03-20 15:04:32 +00:00 · 2024-03-20 15:59:43 +01:00 · 2024-03-18 10:22:49 +00:00 · 2024-03-18 11:17:52 +01:00 · 2024-03-18 08:48:11 +00:00
27 changed files with 310 additions and 107 deletions
@@ -28,3 +28,5 @@ AUTH_SERVER_ENCRYPTION_SERVER_KEY=1087415dfde3093797f9a7ca93a49e7d7aa1861735eb0d
 VALET_TOKEN_SECRET=4b886819ebe1e908077c6cae96311b48a8416bd60cc91c03060e15bdf6b30d1f

 SYNCING_SERVER_CONTENT_SIZE_TRANSFER_LIMIT=100000
+
+HTTP_REQUEST_PAYLOAD_LIMIT_MEGABYTES=1
@@ -42,26 +42,26 @@ jobs:
      workspace_name: ${{ inputs.workspace_name }}
    secrets: inherit

-  deploy-web:
-    if: ${{ inputs.deploy_web }}
+  # deploy-web:
+  #   if: ${{ inputs.deploy_web }}

-    needs: publish
+  #   needs: publish

-    name: Deploy Web
-    uses: standardnotes/server/.github/workflows/common-deploy.yml@main
-    with:
-      service_name: ${{ inputs.service_name }}
-      docker_image: ${{ inputs.service_name }}:${{ github.sha }}
-    secrets: inherit
+  #   name: Deploy Web
+  #   uses: standardnotes/server/.github/workflows/common-deploy.yml@main
+  #   with:
+  #     service_name: ${{ inputs.service_name }}
+  #     docker_image: ${{ inputs.service_name }}:${{ github.sha }}
+  #   secrets: inherit

-  deploy-worker:
-    if: ${{ inputs.deploy_worker }}
+  # deploy-worker:
+  #   if: ${{ inputs.deploy_worker }}

-    needs: publish
+  #   needs: publish

-    name: Deploy Worker
-    uses: standardnotes/server/.github/workflows/common-deploy.yml@main
-    with:
-      service_name: ${{ inputs.service_name }}-worker
-      docker_image: ${{ inputs.service_name }}:${{ github.sha }}
-    secrets: inherit
+  #   name: Deploy Worker
+  #   uses: standardnotes/server/.github/workflows/common-deploy.yml@main
+  #   with:
+  #     service_name: ${{ inputs.service_name }}-worker
+  #     docker_image: ${{ inputs.service_name }}:${{ github.sha }}
+  #   secrets: inherit
@@ -71,6 +71,7 @@ jobs:
        echo "REFRESH_TOKEN_AGE=10" >> packages/home-server/.env
        echo "REVISIONS_FREQUENCY=2" >> packages/home-server/.env
        echo "CONTENT_SIZE_TRANSFER_LIMIT=100000" >> packages/home-server/.env
+        echo "HTTP_REQUEST_PAYLOAD_LIMIT_MEGABYTES=1" >> packages/home-server/.env
        echo "DB_HOST=localhost" >> packages/home-server/.env
        echo "DB_PORT=3306" >> packages/home-server/.env
        echo "DB_DATABASE=standardnotes" >> packages/home-server/.env
@@ -98,30 +98,32 @@ jobs:
    - name: Test
      run: yarn test

-  e2e-base:
-    needs: build
-    name: E2E Base Suite
-    uses: standardnotes/server/.github/workflows/common-e2e.yml@main
-    with:
-      snjs_image_tag: 'latest'
-      suite: 'base'
+  # e2e-base:
+  #   needs: build
+  #   name: E2E Base Suite
+  #   uses: standardnotes/server/.github/workflows/common-e2e.yml@main
+  #   with:
+  #     snjs_image_tag: 'latest'
+  #     suite: 'base'

-  e2e-vaults:
-    needs: build
-    name: E2E Vaults Suite
-    uses: standardnotes/server/.github/workflows/common-e2e.yml@main
-    with:
-      snjs_image_tag: 'latest'
-      suite: 'vaults'
+  # e2e-vaults:
+  #   needs: build
+  #   name: E2E Vaults Suite
+  #   uses: standardnotes/server/.github/workflows/common-e2e.yml@main
+  #   with:
+  #     snjs_image_tag: 'latest'
+  #     suite: 'vaults'

  publish-self-hosting:
-    needs: [ test, lint, e2e-base, e2e-vaults ]
+    # needs: [ test, lint, e2e-base, e2e-vaults ]
+    needs: [ test, lint ]
    name: Publish Self Hosting Docker Image
    uses: standardnotes/server/.github/workflows/common-self-hosting.yml@main
    secrets: inherit

  publish-services:
-    needs: [ test, lint, e2e-base, e2e-vaults ]
+    # needs: [ test, lint, e2e-base, e2e-vaults ]
+    needs: [ test, lint ]

    runs-on: ubuntu-latest

@@ -3,6 +3,24 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+# [1.91.0](https://github.com/standardnotes/server/compare/@standardnotes/api-gateway@1.90.3...@standardnotes/api-gateway@1.91.0) (2024-03-20)
+
+### Features
+
+* add CORS_ORIGIN_STRICT_MODE_ENABLED env var to determine if CORS origin should be restricted ([5c02435](https://github.com/standardnotes/server/commit/5c02435ee478b893747d3f9e41062aae12d7ff10))
+
+## [1.90.3](https://github.com/standardnotes/server/compare/@standardnotes/api-gateway@1.90.2...@standardnotes/api-gateway@1.90.3) (2024-03-18)
+
+### Bug Fixes
+
+* **api-gateway:** response headers cors issue - fixes [#1046](https://github.com/standardnotes/server/issues/1046) ([be668d7](https://github.com/standardnotes/server/commit/be668d7d7a1d9128f625a2bfa807e6a91183b488))
+
+## [1.90.2](https://github.com/standardnotes/server/compare/@standardnotes/api-gateway@1.90.1...@standardnotes/api-gateway@1.90.2) (2024-03-18)
+
+### Bug Fixes
+
+* cors issues on clients - fixes [#1046](https://github.com/standardnotes/server/issues/1046) ([#1049](https://github.com/standardnotes/server/issues/1049)) ([6d7ca1b](https://github.com/standardnotes/server/commit/6d7ca1b926fd45d744275bd3c1f4c05b010f76c8))
+
 ## [1.90.1](https://github.com/standardnotes/server/compare/@standardnotes/api-gateway@1.90.0...@standardnotes/api-gateway@1.90.1) (2024-01-19)

 **Note:** Version bump only for package @standardnotes/api-gateway
@@ -83,7 +83,51 @@ void container.load().then((container) => {
        type: ['text/plain', 'application/x-www-form-urlencoded', 'application/x-www-form-urlencoded; charset=utf-8'],
      }),
    )
-    app.use(cors())
+    const corsAllowedOrigins = env.get('CORS_ALLOWED_ORIGINS', true)
+      ? env.get('CORS_ALLOWED_ORIGINS', true).split(',')
+      : []
+    app.use(
+      cors({
+        credentials: true,
+        exposedHeaders: ['x-captcha-required'],
+        origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
+          const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true)
+            ? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true'
+            : false
+
+          if (!originStrictModeEnabled) {
+            callback(null, [requestOrigin as string])
+
+            return
+          }
+
+          const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
+          const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
+          const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')
+          const requestOriginatesFromSelfHostedAppOnHttpPort = requestOrigin === 'http://localhost'
+          const requestOriginatesFromSelfHostedAppOnCustomPort = requestOrigin?.match(/http:\/\/localhost:\d+/) !== null
+          const requestOriginatesFromSelfHostedApp =
+            requestOriginatesFromSelfHostedAppOnHttpPort || requestOriginatesFromSelfHostedAppOnCustomPort
+
+          const requestIsWhitelisted =
+            corsAllowedOrigins.length === 0 ||
+            requstOriginIsNotFilled ||
+            requestOriginatesFromTheDesktopApp ||
+            requestOriginatesFromClipperForFirefox ||
+            requestOriginatesFromSelfHostedApp
+
+          if (requestIsWhitelisted) {
+            callback(null, [requestOrigin as string])
+          } else {
+            if (corsAllowedOrigins.includes(requestOrigin)) {
+              callback(null, [requestOrigin])
+            } else {
+              callback(new Error('Not allowed by CORS', { cause: 'origin not allowed' }))
+            }
+          }
+        },
+      }),
+    )
    app.use(
      robots({
        UserAgent: '*',
@@ -1,6 +1,6 @@
 {
  "name": "@standardnotes/api-gateway",
-  "version": "1.90.1",
+  "version": "1.91.0",
  "engines": {
    "node": ">=18.0.0 <21.0.0"
  },
@@ -340,13 +340,11 @@ export class HttpServiceProxy implements ServiceProxyInterface {

  private applyResponseHeaders(serviceResponse: AxiosResponse, response: Response): void {
    const returnedHeadersFromUnderlyingService = [
-      'access-control-allow-methods',
-      'access-control-allow-origin',
-      'access-control-expose-headers',
-      'authorization',
      'content-type',
-      'x-ssjs-version',
-      'x-auth-version',
+      'authorization',
+      'set-cookie',
+      'access-control-expose-headers',
+      'x-captcha-required',
    ]

    returnedHeadersFromUnderlyingService.map((headerName) => {
@@ -435,13 +435,11 @@ export class GRPCServiceProxy implements ServiceProxyInterface {

  private applyResponseHeaders(serviceResponse: AxiosResponse, response: Response): void {
    const returnedHeadersFromUnderlyingService = [
-      'access-control-allow-methods',
-      'access-control-allow-origin',
-      'access-control-expose-headers',
-      'authorization',
      'content-type',
-      'x-ssjs-version',
-      'x-auth-version',
+      'authorization',
+      'set-cookie',
+      'access-control-expose-headers',
+      'x-captcha-required',
    ]

    returnedHeadersFromUnderlyingService.map((headerName) => {
@@ -3,6 +3,24 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.178.3](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.178.2...@standardnotes/auth-server@1.178.3) (2024-03-18)
+
+### Bug Fixes
+
+* **auth:** allow registration on new api versions - fixes [#1046](https://github.com/standardnotes/server/issues/1046) ([#1048](https://github.com/standardnotes/server/issues/1048)) ([f939caf](https://github.com/standardnotes/server/commit/f939caf2d9a781d42989ad6e92a5c7150ff48e19))
+
+## [1.178.2](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.178.1...@standardnotes/auth-server@1.178.2) (2024-03-15)
+
+### Bug Fixes
+
+* allow handling of new api version ([9d49764](https://github.com/standardnotes/server/commit/9d49764b841e73655e19523eddf10498addc9fb4))
+
+## [1.178.1](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.178.0...@standardnotes/auth-server@1.178.1) (2024-02-09)
+
+### Bug Fixes
+
+* allow expired offline subscriptions to receive dashboard emails ([#1041](https://github.com/standardnotes/server/issues/1041)) ([4fe8e9a](https://github.com/standardnotes/server/commit/4fe8e9a79f652f3e39608d6683cb17cc08bb8717))
+
 # [1.178.0](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.177.20...@standardnotes/auth-server@1.178.0) (2024-01-19)

 ### Features
@@ -1,6 +1,6 @@
 {
  "name": "@standardnotes/auth-server",
-  "version": "1.178.0",
+  "version": "1.178.3",
  "engines": {
    "node": ">=18.0.0 <21.0.0"
  },
@@ -2,4 +2,5 @@ export enum ApiVersion {
  v20161215 = '20161215',
  v20190520 = '20190520',
  v20200115 = '20200115',
+  v20240226 = '20240226',
 }
@@ -24,6 +24,7 @@ export class AuthResponseFactoryResolver implements AuthResponseFactoryResolverI
      case ApiVersion.v20190520:
        return this.authResponseFactory20190520
      case ApiVersion.v20200115:
+      case ApiVersion.v20240226:
        return this.authResponseFactory20200115
      default:
        return this.authResponseFactory20161215
@@ -89,42 +89,4 @@ describe('CreateOfflineSubscriptionToken', () => {
    expect(domainEventFactory.createEmailRequestedEvent).not.toHaveBeenCalled()
    expect(domainEventPublisher.publish).not.toHaveBeenCalled()
  })
-
-  it('should not create an offline subscription token if email has a cancelled subscription', async () => {
-    offlineUserSubscriptionRepository.findOneByEmail = jest
-      .fn()
-      .mockReturnValue({ cancelled: true, endsAt: 100 } as jest.Mocked<OfflineUserSubscription>)
-
-    expect(
-      await createUseCase().execute({
-        userEmail: 'test@test.com',
-      }),
-    ).toEqual({
-      success: false,
-      error: 'subscription-canceled',
-    })
-
-    expect(offlineSubscriptionTokenRepository.save).not.toHaveBeenCalled()
-    expect(domainEventFactory.createEmailRequestedEvent).not.toHaveBeenCalled()
-    expect(domainEventPublisher.publish).not.toHaveBeenCalled()
-  })
-
-  it('should not create an offline subscription token if email has an outdated subscription', async () => {
-    offlineUserSubscriptionRepository.findOneByEmail = jest
-      .fn()
-      .mockReturnValue({ cancelled: false, endsAt: 2 } as jest.Mocked<OfflineUserSubscription>)
-
-    expect(
-      await createUseCase().execute({
-        userEmail: 'test@test.com',
-      }),
-    ).toEqual({
-      success: false,
-      error: 'subscription-expired',
-    })
-
-    expect(offlineSubscriptionTokenRepository.save).not.toHaveBeenCalled()
-    expect(domainEventFactory.createEmailRequestedEvent).not.toHaveBeenCalled()
-    expect(domainEventPublisher.publish).not.toHaveBeenCalled()
-  })
 })
@@ -37,20 +37,6 @@ export class CreateOfflineSubscriptionToken implements UseCaseInterface {
      }
    }

-    if (existingSubscription.cancelled) {
-      return {
-        success: false,
-        error: 'subscription-canceled',
-      }
-    }
-
-    if (existingSubscription.endsAt < this.timer.getTimestampInMicroseconds()) {
-      return {
-        success: false,
-        error: 'subscription-expired',
-      }
-    }
-
    const token = await this.cryptoNode.generateRandomKey(128)

    const offlineSubscriptionToken = {
@@ -127,6 +127,43 @@ describe('Register', () => {
    })
  })

+  it('should register a new user with default set of roles on new api version', async () => {
+    const role = new Role()
+    role.name = RoleName.NAMES.CoreUser
+
+    roleRepository.findOneByName = jest.fn().mockReturnValueOnce(role)
+
+    expect(
+      await createUseCase().execute({
+        email: 'test@test.te',
+        password: 'asdzxc',
+        updatedWithUserAgent: 'Mozilla',
+        apiVersion: '20240226',
+        ephemeralSession: false,
+        version: '004',
+        pwCost: 11,
+        pwSalt: 'qweqwe',
+        pwNonce: undefined,
+      }),
+    ).toEqual({ success: true, authResponse: { foo: 'bar' } })
+
+    expect(userRepository.save).toHaveBeenCalledWith({
+      email: 'test@test.te',
+      encryptedPassword: expect.any(String),
+      encryptedServerKey: 'test',
+      serverEncryptionVersion: 1,
+      pwCost: 11,
+      pwNonce: undefined,
+      pwSalt: 'qweqwe',
+      updatedWithUserAgent: 'Mozilla',
+      uuid: expect.any(String),
+      version: '004',
+      createdAt: new Date(1),
+      updatedAt: new Date(1),
+      roles: Promise.resolve([role]),
+    })
+  })
+
  it('should fail to register if applying default settings fails', async () => {
    applyDefaultSettings.execute = jest.fn().mockReturnValue(Result.fail('error'))

@@ -36,7 +36,7 @@ export class Register implements UseCaseInterface {

    const { email, password, apiVersion, ephemeralSession, ...registrationFields } = dto

-    if (apiVersion !== ApiVersion.v20200115) {
+    if (![ApiVersion.v20200115, ApiVersion.v20240226].includes(apiVersion as ApiVersion)) {
      return {
        success: false,
        errorMessage: `Unsupported api version: ${apiVersion}`,
@@ -3,6 +3,18 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+# [1.38.0](https://github.com/standardnotes/server/compare/@standardnotes/files-server@1.37.12...@standardnotes/files-server@1.38.0) (2024-03-20)
+
+### Features
+
+* add CORS_ORIGIN_STRICT_MODE_ENABLED env var to determine if CORS origin should be restricted ([5c02435](https://github.com/standardnotes/server/commit/5c02435ee478b893747d3f9e41062aae12d7ff10))
+
+## [1.37.12](https://github.com/standardnotes/server/compare/@standardnotes/files-server@1.37.11...@standardnotes/files-server@1.37.12) (2024-03-18)
+
+### Bug Fixes
+
+* cors issues on clients - fixes [#1046](https://github.com/standardnotes/server/issues/1046) ([#1049](https://github.com/standardnotes/server/issues/1049)) ([6d7ca1b](https://github.com/standardnotes/server/commit/6d7ca1b926fd45d744275bd3c1f4c05b010f76c8))
+
 ## [1.37.11](https://github.com/standardnotes/server/compare/@standardnotes/files-server@1.37.10...@standardnotes/files-server@1.37.11) (2024-01-19)

 **Note:** Version bump only for package @standardnotes/files-server
@@ -65,9 +65,55 @@ void container.load().then((container) => {
    app.use(json({ limit: requestPayloadLimit }))
    app.use(raw({ limit: requestPayloadLimit, type: 'application/octet-stream' }))
    app.use(urlencoded({ extended: true, limit: requestPayloadLimit }))
+
+    const corsAllowedOrigins = env.get('CORS_ALLOWED_ORIGINS', true)
+      ? env.get('CORS_ALLOWED_ORIGINS', true).split(',')
+      : []
    app.use(
      cors({
-        exposedHeaders: ['Content-Range', 'Accept-Ranges'],
+        credentials: true,
+        exposedHeaders: [
+          'Content-Range',
+          'Accept-Ranges',
+          'Access-Control-Allow-Credentials',
+          'Access-Control-Allow-Origin',
+        ],
+        origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
+          const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true)
+            ? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true'
+            : false
+
+          if (!originStrictModeEnabled) {
+            callback(null, [requestOrigin as string])
+
+            return
+          }
+
+          const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
+          const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
+          const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')
+          const requestOriginatesFromSelfHostedAppOnHttpPort = requestOrigin === 'http://localhost'
+          const requestOriginatesFromSelfHostedAppOnCustomPort = requestOrigin?.match(/http:\/\/localhost:\d+/) !== null
+          const requestOriginatesFromSelfHostedApp =
+            requestOriginatesFromSelfHostedAppOnHttpPort || requestOriginatesFromSelfHostedAppOnCustomPort
+
+          const requestIsWhitelisted =
+            corsAllowedOrigins.length === 0 ||
+            requstOriginIsNotFilled ||
+            requestOriginatesFromTheDesktopApp ||
+            requestOriginatesFromClipperForFirefox ||
+            requestOriginatesFromSelfHostedApp
+
+          if (requestIsWhitelisted) {
+            callback(null, [requestOrigin as string])
+          } else {
+            if (corsAllowedOrigins.includes(requestOrigin)) {
+              callback(null, [requestOrigin])
+            } else {
+              callback(new Error('Not allowed by CORS', { cause: 'origin not allowed' }))
+            }
+          }
+        },
      }),
    )
    app.use(
@@ -1,6 +1,6 @@
 {
  "name": "@standardnotes/files-server",
-  "version": "1.37.11",
+  "version": "1.38.0",
  "engines": {
    "node": ">=18.0.0 <21.0.0"
  },
@@ -3,6 +3,34 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+# [1.23.0](https://github.com/standardnotes/server/compare/@standardnotes/home-server@1.22.68...@standardnotes/home-server@1.23.0) (2024-03-20)
+
+### Features
+
+* add CORS_ORIGIN_STRICT_MODE_ENABLED env var to determine if CORS origin should be restricted ([5c02435](https://github.com/standardnotes/server/commit/5c02435ee478b893747d3f9e41062aae12d7ff10))
+
+## [1.22.68](https://github.com/standardnotes/server/compare/@standardnotes/home-server@1.22.67...@standardnotes/home-server@1.22.68) (2024-03-18)
+
+**Note:** Version bump only for package @standardnotes/home-server
+
+## [1.22.67](https://github.com/standardnotes/server/compare/@standardnotes/home-server@1.22.66...@standardnotes/home-server@1.22.67) (2024-03-18)
+
+### Bug Fixes
+
+* cors issues on clients - fixes [#1046](https://github.com/standardnotes/server/issues/1046) ([#1049](https://github.com/standardnotes/server/issues/1049)) ([6d7ca1b](https://github.com/standardnotes/server/commit/6d7ca1b926fd45d744275bd3c1f4c05b010f76c8))
+
+## [1.22.66](https://github.com/standardnotes/server/compare/@standardnotes/home-server@1.22.65...@standardnotes/home-server@1.22.66) (2024-03-18)
+
+**Note:** Version bump only for package @standardnotes/home-server
+
+## [1.22.65](https://github.com/standardnotes/server/compare/@standardnotes/home-server@1.22.64...@standardnotes/home-server@1.22.65) (2024-03-15)
+
+**Note:** Version bump only for package @standardnotes/home-server
+
+## [1.22.64](https://github.com/standardnotes/server/compare/@standardnotes/home-server@1.22.63...@standardnotes/home-server@1.22.64) (2024-02-09)
+
+**Note:** Version bump only for package @standardnotes/home-server
+
 ## [1.22.63](https://github.com/standardnotes/server/compare/@standardnotes/home-server@1.22.62...@standardnotes/home-server@1.22.63) (2024-01-19)

 **Note:** Version bump only for package @standardnotes/home-server
@@ -1,6 +1,6 @@
 {
  "name": "@standardnotes/home-server",
-  "version": "1.22.63",
+  "version": "1.23.0",
  "engines": {
    "node": ">=18.0.0 <21.0.0"
  },
@@ -129,9 +129,50 @@ export class HomeServer implements HomeServerInterface {
            ],
          }),
        )
+        const corsAllowedOrigins = env.get('CORS_ALLOWED_ORIGINS', true)
+          ? env.get('CORS_ALLOWED_ORIGINS', true).split(',')
+          : []
        app.use(
          cors({
-            exposedHeaders: ['Content-Range', 'Accept-Ranges'],
+            credentials: true,
+            exposedHeaders: ['Content-Range', 'Accept-Ranges', 'x-captcha-required'],
+            origin: (requestOrigin: string | undefined, callback: (err: Error | null, origin?: string[]) => void) => {
+              const originStrictModeEnabled = env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true)
+                ? env.get('CORS_ORIGIN_STRICT_MODE_ENABLED', true) === 'true'
+                : false
+
+              if (!originStrictModeEnabled) {
+                callback(null, [requestOrigin as string])
+
+                return
+              }
+
+              const requstOriginIsNotFilled = !requestOrigin || requestOrigin === 'null'
+              const requestOriginatesFromTheDesktopApp = requestOrigin?.startsWith('file://')
+              const requestOriginatesFromClipperForFirefox = requestOrigin?.startsWith('moz-extension://')
+              const requestOriginatesFromSelfHostedAppOnHttpPort = requestOrigin === 'http://localhost'
+              const requestOriginatesFromSelfHostedAppOnCustomPort =
+                requestOrigin?.match(/http:\/\/localhost:\d+/) !== null
+              const requestOriginatesFromSelfHostedApp =
+                requestOriginatesFromSelfHostedAppOnHttpPort || requestOriginatesFromSelfHostedAppOnCustomPort
+
+              const requestIsWhitelisted =
+                corsAllowedOrigins.length === 0 ||
+                requstOriginIsNotFilled ||
+                requestOriginatesFromTheDesktopApp ||
+                requestOriginatesFromClipperForFirefox ||
+                requestOriginatesFromSelfHostedApp
+
+              if (requestIsWhitelisted) {
+                callback(null, [requestOrigin as string])
+              } else {
+                if (corsAllowedOrigins.includes(requestOrigin)) {
+                  callback(null, [requestOrigin])
+                } else {
+                  callback(new Error('Not allowed by CORS', { cause: 'origin not allowed' }))
+                }
+              }
+            },
          }),
        )
        app.use(
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.136.2](https://github.com/standardnotes/server/compare/@standardnotes/syncing-server@1.136.1...@standardnotes/syncing-server@1.136.2) (2024-03-15)
+
+### Bug Fixes
+
+* allow handling of new api version ([9d49764](https://github.com/standardnotes/server/commit/9d49764b841e73655e19523eddf10498addc9fb4))
+
 ## [1.136.1](https://github.com/standardnotes/server/compare/@standardnotes/syncing-server@1.136.0...@standardnotes/syncing-server@1.136.1) (2024-01-19)

 **Note:** Version bump only for package @standardnotes/syncing-server
@@ -1,6 +1,6 @@
 {
  "name": "@standardnotes/syncing-server",
-  "version": "1.136.1",
+  "version": "1.136.2",
  "engines": {
    "node": ">=18.0.0 <21.0.0"
  },
@@ -2,4 +2,5 @@ export enum ApiVersion {
  v20161215 = '20161215',
  v20190520 = '20190520',
  v20200115 = '20200115',
+  v20240226 = '20240226',
 }
@@ -14,6 +14,7 @@ export class SyncResponseFactoryResolver implements SyncResponseFactoryResolverI
    switch (apiVersion) {
      case ApiVersion.v20190520:
      case ApiVersion.v20200115:
+      case ApiVersion.v20240226:
        return this.syncResponseFactory20200115
      default:
        return this.syncResponseFactory20161215
Author	SHA1	Message	Date
standardci	dbb0e4a974	chore(release): publish new version - @standardnotes/api-gateway@1.91.0 - @standardnotes/files-server@1.38.0 - @standardnotes/home-server@1.23.0	2024-03-20 15:04:32 +00:00
Karol Sójko	5c02435ee4	feat: add CORS_ORIGIN_STRICT_MODE_ENABLED env var to determine if CORS origin should be restricted	2024-03-20 15:59:43 +01:00
standardci	0a1e555b13	chore(release): publish new version - @standardnotes/api-gateway@1.90.3 - @standardnotes/home-server@1.22.68	2024-03-18 10:22:49 +00:00
Karol Sójko	be668d7d7a	fix(api-gateway): response headers cors issue - fixes #1046	2024-03-18 11:17:52 +01:00
standardci	87e50ec941	chore(release): publish new version - @standardnotes/api-gateway@1.90.2 - @standardnotes/files-server@1.37.12 - @standardnotes/home-server@1.22.67	2024-03-18 08:48:11 +00:00
Karol Sójko	6d7ca1b926	fix: cors issues on clients - fixes #1046 (#1049 )	2024-03-18 09:43:58 +01:00
standardci	00bfaaa53d	chore(release): publish new version - @standardnotes/auth-server@1.178.3 - @standardnotes/home-server@1.22.66	2024-03-18 08:12:46 +00:00
Karol Sójko	f939caf2d9	fix(auth): allow registration on new api versions - fixes #1046 (#1048 )	2024-03-18 09:08:16 +01:00
standardci	0f3615ee65	chore(release): publish new version - @standardnotes/auth-server@1.178.2 - @standardnotes/home-server@1.22.65 - @standardnotes/syncing-server@1.136.2	2024-03-15 10:25:31 +00:00
Karol Sójko	567bcf26b5	tmp: disable e2e and deployment to ecs	2024-03-15 11:20:38 +01:00
Karol Sójko	9d49764b84	fix: allow handling of new api version	2024-03-15 11:17:46 +01:00
standardci	5c9f493b67	chore(release): publish new version - @standardnotes/auth-server@1.178.1 - @standardnotes/home-server@1.22.64	2024-02-09 18:01:17 +00:00
Mo	4fe8e9a79f	fix: allow expired offline subscriptions to receive dashboard emails (#1041 )	2024-02-09 11:39:47 -06:00
Karol Sójko	f975dd9697	fix: e2e params for max http request payload size (#1037 )	2024-02-02 13:06:52 +01:00