From 16d88402cbeb51d376d14c9d32e2bc00d00e4cb2 Mon Sep 17 00:00:00 2001 From: vpl Date: Sun, 1 Sep 2019 13:00:12 +0200 Subject: [PATCH 1/2] Initial version of CORS support --- src/main.rs | 3 ++- src/util.rs | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index ffd28564..081997dc 100644 --- a/src/main.rs +++ b/src/main.rs @@ -250,7 +250,8 @@ fn launch_rocket() { let rocket = rocket .manage(db::init_pool()) .manage(api::start_notification_server()) - .attach(util::AppHeaders()); + .attach(util::AppHeaders()) + .attach(util::CORS()); // Launch and print error if there is one // The launch will restore the original logging level diff --git a/src/util.rs b/src/util.rs index c9815f15..6792fdc5 100644 --- a/src/util.rs +++ b/src/util.rs @@ -4,6 +4,8 @@ use rocket::fairing::{Fairing, Info, Kind}; use rocket::response::{self, Responder}; use rocket::{Request, Response}; +use rocket::http::{Header, ContentType, Method}; +use std::io::Cursor; pub struct AppHeaders(); @@ -31,6 +33,39 @@ impl Fairing for AppHeaders { } } + +pub struct CORS(); + +impl Fairing for CORS { + fn info(&self) -> Info { + Info { + name: "Add CORS headers to requests", + kind: Kind::Response + } + } + + fn on_response(&self, request: &Request, response: &mut Response) { + // We need to explictly get the Origin header for Access-Control-Allow-Origin + let origin = match request.headers().get_one("Origin") { + Some(h) => h.to_string(), + _ => "".to_string(), + }; + + if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) { + // Requests with credentials need explicit values since they do not allow wildcards. + response.set_header(Header::new("Access-Control-Allow-Origin", origin)); + response.set_header(Header::new("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH")); + response.set_header(Header::new("Access-Control-Allow-Headers", "*, Authorization")); + response.set_header(Header::new("Access-Control-Allow-Credentials", "true")); + } + + if request.method() == Method::Options { + response.set_header(ContentType::Plain); + response.set_sized_body(Cursor::new("")); + } + } +} + pub struct Cached(R, &'static str); impl Cached { From 5a2f968d7a868fcfed2c67055ada88dd7a8db06b Mon Sep 17 00:00:00 2001 From: vpl Date: Mon, 2 Sep 2019 21:13:12 +0200 Subject: [PATCH 2/2] Set correct response headers, status code --- src/util.rs | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/src/util.rs b/src/util.rs index 6792fdc5..a3548fcb 100644 --- a/src/util.rs +++ b/src/util.rs @@ -4,7 +4,7 @@ use rocket::fairing::{Fairing, Info, Kind}; use rocket::response::{self, Responder}; use rocket::{Request, Response}; -use rocket::http::{Header, ContentType, Method}; +use rocket::http::{Header, HeaderMap, ContentType, Method, Status}; use std::io::Cursor; pub struct AppHeaders(); @@ -33,9 +33,17 @@ impl Fairing for AppHeaders { } } - pub struct CORS(); +impl CORS { + fn get_header(headers: &HeaderMap, name: &str) -> String { + match headers.get_one(name) { + Some(h) => h.to_string(), + _ => "".to_string(), + } + } +} + impl Fairing for CORS { fn info(&self) -> Info { Info { @@ -45,21 +53,25 @@ impl Fairing for CORS { } fn on_response(&self, request: &Request, response: &mut Response) { - // We need to explictly get the Origin header for Access-Control-Allow-Origin - let origin = match request.headers().get_one("Origin") { - Some(h) => h.to_string(), - _ => "".to_string(), - }; + let req_headers = request.headers(); + + // We need to explicitly get the Origin header for Access-Control-Allow-Origin + let req_allow_origin = CORS::get_header(&req_headers, "Origin"); + + let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers"); + + let req_allow_methods =CORS::get_header(&req_headers,"Access-Control-Request-Methods"); if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) { // Requests with credentials need explicit values since they do not allow wildcards. - response.set_header(Header::new("Access-Control-Allow-Origin", origin)); - response.set_header(Header::new("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH")); - response.set_header(Header::new("Access-Control-Allow-Headers", "*, Authorization")); + response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin)); + response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_methods)); + response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers)); response.set_header(Header::new("Access-Control-Allow-Credentials", "true")); } if request.method() == Method::Options { + response.set_status(Status::Ok); response.set_header(ContentType::Plain); response.set_sized_body(Cursor::new("")); }