From fc43ff6e633ccbec675c30adb94e3fe0b1ec30bf Mon Sep 17 00:00:00 2001
From: Hiran del Castillo <hirandelcastillo@gmail.com>
Date: Thu, 5 Apr 2018 14:06:30 -0500
Subject: [PATCH] [SEMVER-MAJOR] Remove deprecated CORS support

It's the responsibility of the applications using API Explorer
to configure an app-wide CORS middleware.
---
 index.js              | 24 ------------------------
 package.json          |  2 --
 test/explorer.test.js | 33 ---------------------------------
 3 files changed, 59 deletions(-)

diff --git a/index.js b/index.js
index 312593e..b588f7c 100644
--- a/index.js
+++ b/index.js
@@ -12,12 +12,10 @@ var g = SG();
 /*!
  * Adds dynamically-updated docs as /explorer
  */
-var deprecated = require('depd')('loopback-explorer');
 var url = require('url');
 var path = require('path');
 var urlJoin = require('./lib/url-join');
 var _defaults = require('lodash').defaults;
-var cors = require('cors');
 var createSwaggerObject = require('loopback-swagger').generateSwaggerSpec;
 var SWAGGER_UI_ROOT = require('swagger-ui/index').dist;
 var STATIC_ROOT = path.join(__dirname, 'public');
@@ -135,9 +133,6 @@ function mountSwagger(loopbackApplication, swaggerApp, opts) {
   var resourcePath = (opts && opts.resourcePath) || 'swagger.json';
   if (resourcePath[0] !== '/') resourcePath = '/' + resourcePath;
 
-  var remotes = loopbackApplication.remotes();
-  setupCors(swaggerApp, remotes);
-
   swaggerApp.get(resourcePath, function sendSwaggerObject(req, res) {
     res.status(200).send(swaggerObject);
   });
@@ -146,22 +141,3 @@ function mountSwagger(loopbackApplication, swaggerApp, opts) {
     swaggerObject = createSwaggerObject(loopbackApplication, opts);
   }
 }
-
-function setupCors(swaggerApp, remotes) {
-  var corsOptions = remotes.options && remotes.options.cors;
-  if (corsOptions === false) return;
-
-  deprecated(
-    g.f(
-      'The built-in CORS middleware provided by loopback-component-explorer ' +
-        'was deprecated. See %s for more details.',
-      'https://loopback.io/doc/en/lb3/Security-considerations.html'
-    )
-  );
-
-  if (corsOptions === undefined) {
-    corsOptions = { origin: true, credentials: true };
-  }
-
-  swaggerApp.use(cors(corsOptions));
-}
diff --git a/package.json b/package.json
index 13126f9..dc80385 100644
--- a/package.json
+++ b/package.json
@@ -35,9 +35,7 @@
   },
   "license": "MIT",
   "dependencies": {
-    "cors": "^2.7.1",
     "debug": "^2.2.0",
-    "depd": "^1.1.0",
     "lodash": "^4.17.5",
     "loopback-swagger": "^5.0.0",
     "strong-globalize": "^3.1.0",
diff --git a/test/explorer.test.js b/test/explorer.test.js
index ac9bc66..72ff1ee 100644
--- a/test/explorer.test.js
+++ b/test/explorer.test.js
@@ -258,39 +258,6 @@ describe('explorer', function() {
     });
   });
 
-  describe('Cross-origin resource sharing', function() {
-    it('allows cross-origin requests by default', function(done) {
-      var app = loopback();
-      process.once('deprecation', function() { /* ignore */ });
-      configureRestApiAndExplorer(app, '/explorer');
-
-      request(app)
-        .options('/explorer/swagger.json')
-        .set('Origin', 'http://example.com/')
-        .expect('Access-Control-Allow-Origin', /^http:\/\/example.com\/|\*/)
-        .expect('Access-Control-Allow-Methods', /\bGET\b/)
-        .end(done);
-    });
-
-    it('can be disabled by configuration', function(done) {
-      var app = loopback();
-      app.set('remoting', { cors: false });
-      configureRestApiAndExplorer(app, '/explorer');
-
-      request(app)
-        .options('/explorer/swagger.json')
-        .end(function(err, res) {
-          if (err) return done(err);
-
-          var allowOrigin = res.get('Access-Control-Allow-Origin');
-          expect(allowOrigin, 'Access-Control-Allow-Origin')
-            .to.equal(undefined);
-
-          done();
-        });
-    });
-  });
-
   it('updates swagger object when a new model is added', function(done) {
     var app = loopback();
     app.set('remoting', { cors: false });