From 4e440401c81d79493bd32ef05f7d96f937e77d00 Mon Sep 17 00:00:00 2001
From: Dimitrie Stefanescu <didimitrie@gmail.com>
Date: Wed, 6 Jan 2021 08:52:02 +0000
Subject: [PATCH] fix(server): adds cors on object download route

---
 packages/server/app.js                        | 5 +++--
 packages/server/modules/core/rest/download.js | 4 +++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/server/app.js b/packages/server/app.js
index edc2a2d67..d6ff2122b 100644
--- a/packages/server/app.js
+++ b/packages/server/app.js
@@ -9,6 +9,7 @@ const compression = require( 'compression' )
 const appRoot = require( 'app-root-path' )
 const logger = require( 'morgan-debug' )
 const bodyParser = require( 'body-parser' )
+const path = require( 'path' )
 const debug = require( 'debug' )
 
 const Sentry = require( '@sentry/node' )
@@ -112,10 +113,10 @@ exports.startHttp = async ( app ) => {
 
   // Production mode -> serve things statically.
   else {
-    app.use( '/', express.static( `${appRoot}/../packages/frontend/dist` ) )
+    app.use( '/', express.static( path.resolve( `${appRoot}/../frontend/dist` ) ) )
 
     app.all( '*', async ( req, res ) => {
-      res.sendFile( `${appRoot}/../packages/frontend/dist/app.html` )
+      res.sendFile( path.resolve( `${appRoot}/../frontend/dist/app.html` ) )
     } )
   }
 
diff --git a/packages/server/modules/core/rest/download.js b/packages/server/modules/core/rest/download.js
index 4130f9ae5..a117caba8 100644
--- a/packages/server/modules/core/rest/download.js
+++ b/packages/server/modules/core/rest/download.js
@@ -3,12 +3,14 @@ const zlib = require( 'zlib' )
 const Busboy = require( 'busboy' )
 const debug = require( 'debug' )
 const appRoot = require( 'app-root-path' )
+const cors = require( 'cors' ) 
 
 const { contextMiddleware, validateScopes, authorizeResolver } = require( `${appRoot}/modules/shared` )
 const { getObject, getObjectChildrenStream } = require( '../services/objects' )
 
 module.exports = ( app ) => {
-  app.get( '/objects/:streamId/:objectId', contextMiddleware, async ( req, res ) => {
+  app.options( '/objects/:streamId/:objectId', cors() )
+  app.get( '/objects/:streamId/:objectId', cors(), contextMiddleware, async ( req, res ) => {
     if ( !req.context || !req.context.auth ) {
       return res.status( 401 ).end( )
     }