From 8ecd65a876af39c03793942359927201e128578a Mon Sep 17 00:00:00 2001 From: Bart Jeukendrup Date: Mon, 11 Mar 2024 22:37:22 +0100 Subject: [PATCH] fix: make configuring CORS headers more robust --- cmd/filter-proxy/main.go | 56 ++++++++++++++++++++++----------------- config.yaml | 10 ++++--- internal/config/config.go | 1 + 3 files changed, 38 insertions(+), 29 deletions(-) diff --git a/cmd/filter-proxy/main.go b/cmd/filter-proxy/main.go index be9ad89..0f52711 100644 --- a/cmd/filter-proxy/main.go +++ b/cmd/filter-proxy/main.go @@ -45,12 +45,6 @@ func main() { if path.Passthrough { router.PathPrefix(path.Path).HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Method == http.MethodOptions { - w.Header().Add("Methods", "OPTIONS, GET, HEAD") - writeError(w, http.StatusOK, "options response from filter-proxy") - return - } - client := &http.Client{} //http: Request.RequestURI can't be set in client requests. @@ -105,12 +99,6 @@ func main() { return } - if r.Method == http.MethodOptions { - w.Header().Add("Methods", "OPTIONS, GET, HEAD") - writeError(w, http.StatusOK, "options response from filter-proxy") - return - } - utils.DelHopHeaders(r.Header) var bodyFilterParams map[string]interface{} @@ -309,24 +297,42 @@ func main() { } } - var httpHandler http.Handler + // By default allow only https://filter-proxy.local + corsOptions := cors.Options{ + AllowedOrigins: []string{ + "https://filter-proxy.local", + }, + Debug: config.Cors.DebugLogging, + OptionsPassthrough: false, + } + if len(config.Cors.AllowedOrigins) > 0 { - c := cors.New(cors.Options{ - AllowedOrigins: config.Cors.AllowedOrigins, - AllowedMethods: config.Cors.AllowedMethods, - AllowedHeaders: config.Cors.AllowedHeaders, - AllowCredentials: config.Cors.AllowCredentials, - AllowPrivateNetwork: config.Cors.AllowPrivateNetwork, - }) - - httpHandler = c.Handler(router) - } else { - httpHandler = router + corsOptions.AllowedOrigins = config.Cors.AllowedOrigins } + if len(config.Cors.AllowedMethods) > 0 { + corsOptions.AllowedMethods = config.Cors.AllowedMethods + } + + if len(config.Cors.AllowedHeaders) > 0 { + corsOptions.AllowedHeaders = config.Cors.AllowedHeaders + } + + if config.Cors.AllowCredentials { + corsOptions.AllowCredentials = config.Cors.AllowCredentials + } + + if config.Cors.AllowPrivateNetwork { + corsOptions.AllowPrivateNetwork = config.Cors.AllowPrivateNetwork + } + + c := cors.New(corsOptions) + + handler := c.Handler(router) + s := &http.Server{ Addr: config.ListenAddress, - Handler: requestLoggingMiddleware(httpHandler), + Handler: requestLoggingMiddleware(handler), ReadTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second, MaxHeaderBytes: 1 << 20, diff --git a/config.yaml b/config.yaml index 2fe2ecc..370bfce 100644 --- a/config.yaml +++ b/config.yaml @@ -7,10 +7,12 @@ listenAddress: localhost:8050 authorizationServiceUrl: http://localhost:8000/atlas/api/v1/authorize cors: - allowedOrigins: [] - allowedMethods: [] - allowedHeaders: [] - allowCredentials: true + # allowedOrigins: ["http://www.test.nl"] + # allowedMethods: ["GET"] + # allowedHeaders: [] + # allowCredentials: true + # allowPrivateNetwork: true + # debugLogging: false paths: - path: /api/ows diff --git a/internal/config/config.go b/internal/config/config.go index 792a4b1..029a8b5 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -42,6 +42,7 @@ type Cors struct { AllowedHeaders []string `yaml:"allowedHeaders"` AllowCredentials bool `yaml:"allowCredentials"` AllowPrivateNetwork bool `yaml:"allowPrivateNetwork"` + DebugLogging bool `yaml:"debugLogging"` } type Config struct {