From 6743dcb08aaf8e2821367ce9962c1c2f7753ace4 Mon Sep 17 00:00:00 2001
From: Matteo Pagliazzi <matteopagliazzi@gmail.com>
Date: Fri, 17 Jul 2020 19:00:16 +0200
Subject: [PATCH] fix(cors): expose rate limit headers to clients

---
 test/api/unit/middlewares/cors.test.js | 4 +++-
 website/server/middlewares/cors.js     | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/test/api/unit/middlewares/cors.test.js b/test/api/unit/middlewares/cors.test.js
index ddcd729fbe..089b671a01 100644
--- a/test/api/unit/middlewares/cors.test.js
+++ b/test/api/unit/middlewares/cors.test.js
@@ -6,7 +6,7 @@ import {
 } from '../../../helpers/api-unit.helper';
 import cors from '../../../../website/server/middlewares/cors';
 
-describe('cors middleware', () => {
+describe.only('cors middleware', () => {
   let res; let req; let
     next;
 
@@ -22,6 +22,7 @@ describe('cors middleware', () => {
       'Access-Control-Allow-Origin': '*',
       'Access-Control-Allow-Methods': 'OPTIONS,GET,POST,PUT,HEAD,DELETE',
       'Access-Control-Allow-Headers': 'Authorization,Content-Type,Accept,Content-Encoding,X-Requested-With,x-api-user,x-api-key,x-client',
+      'Access-Control-Expose-Headers': 'X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset,Retry-After',
     });
     expect(res.sendStatus).to.not.have.been.called;
     expect(next).to.have.been.calledOnce;
@@ -34,6 +35,7 @@ describe('cors middleware', () => {
       'Access-Control-Allow-Origin': '*',
       'Access-Control-Allow-Methods': 'OPTIONS,GET,POST,PUT,HEAD,DELETE',
       'Access-Control-Allow-Headers': 'Authorization,Content-Type,Accept,Content-Encoding,X-Requested-With,x-api-user,x-api-key,x-client',
+      'Access-Control-Expose-Headers': 'X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset,Retry-After',
     });
     expect(res.sendStatus).to.have.been.calledWith(200);
     expect(next).to.not.have.been.called;
diff --git a/website/server/middlewares/cors.js b/website/server/middlewares/cors.js
index 5d20f5f15e..c3b10a2231 100644
--- a/website/server/middlewares/cors.js
+++ b/website/server/middlewares/cors.js
@@ -3,6 +3,8 @@ export default function corsMiddleware (req, res, next) {
     'Access-Control-Allow-Origin': req.header('origin') || '*',
     'Access-Control-Allow-Methods': 'OPTIONS,GET,POST,PUT,HEAD,DELETE',
     'Access-Control-Allow-Headers': 'Authorization,Content-Type,Accept,Content-Encoding,X-Requested-With,x-api-user,x-api-key,x-client',
+    // Expose rate limit headers to CORS requests
+    'Access-Control-Expose-Headers': 'X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset,Retry-After',
   });
   if (req.method === 'OPTIONS') return res.sendStatus(200);
   return next();