1
0
mirror of https://github.com/actix/actix-extras.git synced 2024-12-02 19:12:24 +01:00
actix-extras/actix-cors/src/lib.rs

1196 lines
40 KiB
Rust
Raw Normal View History

2019-07-17 11:08:30 +02:00
#![allow(clippy::borrow_interior_mutable_const, clippy::type_complexity)]
2018-01-10 07:33:51 +01:00
//! Cross-origin resource sharing (CORS) for Actix applications
2018-01-10 08:55:42 +01:00
//!
//! CORS middleware could be used with application and with resource.
2019-03-25 21:02:10 +01:00
//! Cors middleware could be used as parameter for `App::wrap()`,
//! `Resource::wrap()` or `Scope::wrap()` methods.
2018-01-10 08:55:42 +01:00
//!
//! # Example
//!
//! ```rust
//! use actix_cors::Cors;
2019-03-24 05:29:16 +01:00
//! use actix_web::{http, web, App, HttpRequest, HttpResponse, HttpServer};
2018-01-10 08:55:42 +01:00
//!
2019-11-22 06:49:35 +01:00
//! async fn index(req: HttpRequest) -> &'static str {
2018-06-01 18:37:14 +02:00
//! "Hello world"
2018-01-10 08:55:42 +01:00
//! }
//!
2019-03-24 05:29:16 +01:00
//! fn main() -> std::io::Result<()> {
//! HttpServer::new(|| App::new()
2019-03-25 21:02:10 +01:00
//! .wrap(
2019-03-24 05:29:16 +01:00
//! Cors::new() // <- Construct CORS middleware builder
//! .allowed_origin("https://www.rust-lang.org/")
//! .allowed_methods(vec!["GET", "POST"])
//! .allowed_headers(vec![http::header::AUTHORIZATION, http::header::ACCEPT])
//! .allowed_header(http::header::CONTENT_TYPE)
2019-11-21 05:54:07 +01:00
//! .max_age(3600)
//! .finish())
2019-03-24 05:29:16 +01:00
//! .service(
//! web::resource("/index.html")
//! .route(web::get().to(index))
//! .route(web::head().to(|| HttpResponse::MethodNotAllowed()))
//! ))
//! .bind("127.0.0.1:8080")?;
//!
//! Ok(())
2018-01-10 08:55:42 +01:00
//! }
//! ```
2018-04-14 01:02:01 +02:00
//! In this example custom *CORS* middleware get registered for "/index.html"
//! endpoint.
2018-01-10 08:55:42 +01:00
//!
//! Cors middleware automatically handle *OPTIONS* preflight request.
2018-01-10 07:33:51 +01:00
use std::collections::HashSet;
2018-01-10 22:41:33 +01:00
use std::iter::FromIterator;
use std::rc::Rc;
2019-11-21 05:54:07 +01:00
use std::task::{Context, Poll};
2018-01-10 07:33:51 +01:00
2019-11-21 05:54:07 +01:00
use actix_service::{Service, Transform};
use actix_web::dev::{RequestHead, ServiceRequest, ServiceResponse};
use actix_web::error::{Error, ResponseError, Result};
use actix_web::http::header::{self, HeaderName, HeaderValue};
use actix_web::http::{self, HttpTryFrom, Method, StatusCode, Uri};
use actix_web::HttpResponse;
2019-03-24 05:29:16 +01:00
use derive_more::Display;
2019-11-21 05:54:07 +01:00
use futures::future::{ok, Either, FutureExt, LocalBoxFuture, Ready};
2018-01-10 07:33:51 +01:00
/// A set of errors that can occur during processing CORS
2019-03-24 05:29:16 +01:00
#[derive(Debug, Display)]
2018-01-10 23:20:00 +01:00
pub enum CorsError {
2018-01-10 07:33:51 +01:00
/// The HTTP request header `Origin` is required but was not provided
2019-03-24 05:29:16 +01:00
#[display(
fmt = "The HTTP request header `Origin` is required but was not provided"
2018-04-29 07:55:47 +02:00
)]
2018-01-10 07:33:51 +01:00
MissingOrigin,
/// The HTTP request header `Origin` could not be parsed correctly.
2019-03-24 05:29:16 +01:00
#[display(fmt = "The HTTP request header `Origin` could not be parsed correctly.")]
2018-01-10 07:33:51 +01:00
BadOrigin,
2018-04-14 01:02:01 +02:00
/// The request header `Access-Control-Request-Method` is required but is
/// missing
2019-03-24 05:29:16 +01:00
#[display(
fmt = "The request header `Access-Control-Request-Method` is required but is missing"
2018-04-29 07:55:47 +02:00
)]
2018-01-10 07:33:51 +01:00
MissingRequestMethod,
/// The request header `Access-Control-Request-Method` has an invalid value
2019-03-24 05:29:16 +01:00
#[display(
fmt = "The request header `Access-Control-Request-Method` has an invalid value"
2018-04-29 07:55:47 +02:00
)]
2018-01-10 07:33:51 +01:00
BadRequestMethod,
2018-04-14 01:02:01 +02:00
/// The request header `Access-Control-Request-Headers` has an invalid
/// value
2019-03-24 05:29:16 +01:00
#[display(
fmt = "The request header `Access-Control-Request-Headers` has an invalid value"
2018-04-29 07:55:47 +02:00
)]
2018-01-10 08:55:42 +01:00
BadRequestHeaders,
2018-01-10 07:33:51 +01:00
/// Origin is not allowed to make this request
2019-03-24 05:29:16 +01:00
#[display(fmt = "Origin is not allowed to make this request")]
2018-01-10 07:33:51 +01:00
OriginNotAllowed,
/// Requested method is not allowed
2019-03-24 05:29:16 +01:00
#[display(fmt = "Requested method is not allowed")]
2018-01-10 07:33:51 +01:00
MethodNotAllowed,
/// One or more headers requested are not allowed
2019-03-24 05:29:16 +01:00
#[display(fmt = "One or more headers requested are not allowed")]
2018-01-10 07:33:51 +01:00
HeadersNotAllowed,
2018-01-10 22:41:33 +01:00
}
2018-01-10 23:20:00 +01:00
impl ResponseError for CorsError {
2018-01-10 07:33:51 +01:00
fn error_response(&self) -> HttpResponse {
2019-03-24 05:29:16 +01:00
HttpResponse::with_body(StatusCode::BAD_REQUEST, format!("{}", self).into())
2018-01-10 07:33:51 +01:00
}
}
2018-04-14 01:02:01 +02:00
/// An enum signifying that some of type T is allowed, or `All` (everything is
/// allowed).
2018-01-10 07:33:51 +01:00
///
/// `Default` is implemented for this enum and is `All`.
#[derive(Clone, Debug, Eq, PartialEq)]
pub enum AllOrSome<T> {
/// Everything is allowed. Usually equivalent to the "*" value.
All,
/// Only some of `T` is allowed
Some(T),
}
impl<T> Default for AllOrSome<T> {
fn default() -> Self {
AllOrSome::All
}
}
impl<T> AllOrSome<T> {
/// Returns whether this is an `All` variant
pub fn is_all(&self) -> bool {
match *self {
AllOrSome::All => true,
AllOrSome::Some(_) => false,
}
}
/// Returns whether this is a `Some` variant
pub fn is_some(&self) -> bool {
!self.is_all()
}
2018-01-10 08:55:42 +01:00
/// Returns &T
pub fn as_ref(&self) -> Option<&T> {
match *self {
AllOrSome::All => None,
AllOrSome::Some(ref t) => Some(t),
}
}
2018-01-10 07:33:51 +01:00
}
2018-04-14 01:02:01 +02:00
/// Structure that follows the builder pattern for building `Cors` middleware
/// structs.
2018-01-10 07:33:51 +01:00
///
/// To construct a cors:
///
/// 1. Call [`Cors::build`](struct.Cors.html#method.build) to start building.
/// 2. Use any of the builder methods to set fields in the backend.
2018-04-14 01:02:01 +02:00
/// 3. Call [finish](struct.Cors.html#method.finish) to retrieve the
/// constructed backend.
2018-01-10 07:33:51 +01:00
///
/// # Example
///
/// ```rust
/// use actix_cors::Cors;
2019-03-24 05:29:16 +01:00
/// use actix_web::http::header;
2018-01-10 07:33:51 +01:00
///
/// # fn main() {
/// let cors = Cors::new()
2018-01-10 07:33:51 +01:00
/// .allowed_origin("https://www.rust-lang.org/")
/// .allowed_methods(vec!["GET", "POST"])
/// .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT])
/// .allowed_header(header::CONTENT_TYPE)
2019-03-24 05:29:16 +01:00
/// .max_age(3600);
2018-01-10 07:33:51 +01:00
/// # }
/// ```
2019-07-17 11:08:30 +02:00
#[derive(Default)]
2019-03-24 05:29:16 +01:00
pub struct Cors {
cors: Option<Inner>,
2018-01-10 07:33:51 +01:00
methods: bool,
error: Option<http::Error>,
2018-01-10 22:41:33 +01:00
expose_hdrs: HashSet<HeaderName>,
2018-01-10 07:33:51 +01:00
}
2019-03-24 05:29:16 +01:00
impl Cors {
/// Build a new CORS middleware instance
pub fn new() -> Cors {
Cors {
cors: Some(Inner {
origins: AllOrSome::All,
origins_str: None,
methods: HashSet::new(),
headers: AllOrSome::All,
expose_hdrs: None,
max_age: None,
preflight: true,
send_wildcard: false,
supports_credentials: false,
vary_header: true,
}),
methods: false,
error: None,
expose_hdrs: HashSet::new(),
}
}
/// Build a new CORS default middleware
pub fn default() -> CorsFactory {
let inner = Inner {
origins: AllOrSome::default(),
origins_str: None,
methods: HashSet::from_iter(
vec![
Method::GET,
Method::HEAD,
Method::POST,
Method::OPTIONS,
Method::PUT,
Method::PATCH,
Method::DELETE,
]
.into_iter(),
),
headers: AllOrSome::All,
expose_hdrs: None,
max_age: None,
preflight: true,
send_wildcard: false,
supports_credentials: false,
vary_header: true,
};
CorsFactory {
inner: Rc::new(inner),
}
2018-01-10 07:33:51 +01:00
}
/// Add an origin that are allowed to make requests.
/// Will be verified against the `Origin` request header.
///
/// When `All` is set, and `send_wildcard` is set, "*" will be sent in
2018-04-14 01:02:01 +02:00
/// the `Access-Control-Allow-Origin` response header. Otherwise, the
/// client's `Origin` request header will be echoed back in the
/// `Access-Control-Allow-Origin` response header.
2018-01-10 07:33:51 +01:00
///
2018-04-14 01:02:01 +02:00
/// When `Some` is set, the client's `Origin` request header will be
/// checked in a case-sensitive manner.
2018-01-10 07:33:51 +01:00
///
/// This is the `list of origins` in the
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
///
/// Defaults to `All`.
///
/// Builder panics if supplied origin is not valid uri.
2019-03-24 05:29:16 +01:00
pub fn allowed_origin(mut self, origin: &str) -> Cors {
2018-01-10 07:33:51 +01:00
if let Some(cors) = cors(&mut self.cors, &self.error) {
match Uri::try_from(origin) {
2018-01-12 05:11:34 +01:00
Ok(_) => {
2018-01-10 07:33:51 +01:00
if cors.origins.is_all() {
cors.origins = AllOrSome::Some(HashSet::new());
}
if let AllOrSome::Some(ref mut origins) = cors.origins {
2018-01-12 05:11:34 +01:00
origins.insert(origin.to_owned());
2018-01-10 07:33:51 +01:00
}
}
Err(e) => {
self.error = Some(e.into());
}
}
}
self
}
2018-04-14 01:02:01 +02:00
/// Set a list of methods which the allowed origins are allowed to access
/// for requests.
2018-01-10 07:33:51 +01:00
///
/// This is the `list of methods` in the
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
///
/// Defaults to `[GET, HEAD, POST, OPTIONS, PUT, PATCH, DELETE]`
2019-03-24 05:29:16 +01:00
pub fn allowed_methods<U, M>(mut self, methods: U) -> Cors
2018-04-14 01:02:01 +02:00
where
U: IntoIterator<Item = M>,
Method: HttpTryFrom<M>,
2018-01-10 07:33:51 +01:00
{
self.methods = true;
if let Some(cors) = cors(&mut self.cors, &self.error) {
for m in methods {
2018-01-10 07:33:51 +01:00
match Method::try_from(m) {
Ok(method) => {
cors.methods.insert(method);
2018-04-14 01:02:01 +02:00
}
2018-01-10 07:33:51 +01:00
Err(e) => {
self.error = Some(e.into());
2018-04-14 01:02:01 +02:00
break;
2018-01-10 07:33:51 +01:00
}
}
2018-04-14 01:02:01 +02:00
}
2018-01-10 07:33:51 +01:00
}
self
}
/// Set an allowed header
2019-03-24 05:29:16 +01:00
pub fn allowed_header<H>(mut self, header: H) -> Cors
2018-04-14 01:02:01 +02:00
where
HeaderName: HttpTryFrom<H>,
2018-01-10 07:33:51 +01:00
{
if let Some(cors) = cors(&mut self.cors, &self.error) {
match HeaderName::try_from(header) {
Ok(method) => {
if cors.headers.is_all() {
cors.headers = AllOrSome::Some(HashSet::new());
}
if let AllOrSome::Some(ref mut headers) = cors.headers {
headers.insert(method);
}
}
Err(e) => self.error = Some(e.into()),
}
}
self
}
/// Set a list of header field names which can be used when
/// this resource is accessed by allowed origins.
///
2018-04-14 01:02:01 +02:00
/// If `All` is set, whatever is requested by the client in
/// `Access-Control-Request-Headers` will be echoed back in the
/// `Access-Control-Allow-Headers` header.
2018-01-10 07:33:51 +01:00
///
/// This is the `list of headers` in the
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
///
/// Defaults to `All`.
2019-03-24 05:29:16 +01:00
pub fn allowed_headers<U, H>(mut self, headers: U) -> Cors
2018-04-14 01:02:01 +02:00
where
U: IntoIterator<Item = H>,
HeaderName: HttpTryFrom<H>,
2018-01-10 07:33:51 +01:00
{
if let Some(cors) = cors(&mut self.cors, &self.error) {
for h in headers {
2018-01-10 07:33:51 +01:00
match HeaderName::try_from(h) {
Ok(method) => {
if cors.headers.is_all() {
cors.headers = AllOrSome::Some(HashSet::new());
}
if let AllOrSome::Some(ref mut headers) = cors.headers {
headers.insert(method);
}
}
Err(e) => {
self.error = Some(e.into());
2018-04-14 01:02:01 +02:00
break;
2018-01-10 07:33:51 +01:00
}
}
2018-04-14 01:02:01 +02:00
}
2018-01-10 07:33:51 +01:00
}
self
}
2018-04-14 01:02:01 +02:00
/// Set a list of headers which are safe to expose to the API of a CORS API
/// specification. This corresponds to the
/// `Access-Control-Expose-Headers` response header.
2018-01-10 22:41:33 +01:00
///
/// This is the `list of exposed headers` in the
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
///
/// This defaults to an empty set.
2019-03-24 05:29:16 +01:00
pub fn expose_headers<U, H>(mut self, headers: U) -> Cors
2018-04-14 01:02:01 +02:00
where
U: IntoIterator<Item = H>,
HeaderName: HttpTryFrom<H>,
2018-01-10 22:41:33 +01:00
{
for h in headers {
match HeaderName::try_from(h) {
Ok(method) => {
self.expose_hdrs.insert(method);
2018-04-14 01:02:01 +02:00
}
2018-01-10 22:41:33 +01:00
Err(e) => {
self.error = Some(e.into());
2018-04-14 01:02:01 +02:00
break;
2018-01-10 22:41:33 +01:00
}
}
}
self
}
2018-01-10 07:33:51 +01:00
/// Set a maximum time for which this CORS request maybe cached.
/// This value is set as the `Access-Control-Max-Age` header.
///
/// This defaults to `None` (unset).
2019-03-24 05:29:16 +01:00
pub fn max_age(mut self, max_age: usize) -> Cors {
2018-01-10 07:33:51 +01:00
if let Some(cors) = cors(&mut self.cors, &self.error) {
cors.max_age = Some(max_age)
}
self
}
2018-01-10 08:55:42 +01:00
/// Set a wildcard origins
///
2018-04-14 01:02:01 +02:00
/// If send wildcard is set and the `allowed_origins` parameter is `All`, a
/// wildcard `Access-Control-Allow-Origin` response header is sent,
/// rather than the requests `Origin` header.
2018-01-10 08:55:42 +01:00
///
/// This is the `supports credentials flag` in the
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
///
2018-04-14 01:02:01 +02:00
/// This **CANNOT** be used in conjunction with `allowed_origins` set to
/// `All` and `allow_credentials` set to `true`. Depending on the mode
/// of usage, this will either result in an `Error::
/// CredentialsWithWildcardOrigin` error during actix launch or runtime.
2018-01-10 08:55:42 +01:00
///
/// Defaults to `false`.
2019-03-24 05:29:16 +01:00
pub fn send_wildcard(mut self) -> Cors {
2018-01-10 08:55:42 +01:00
if let Some(cors) = cors(&mut self.cors, &self.error) {
2018-01-10 22:41:33 +01:00
cors.send_wildcard = true
}
self
}
/// Allows users to make authenticated requests
///
2018-04-14 01:02:01 +02:00
/// If true, injects the `Access-Control-Allow-Credentials` header in
/// responses. This allows cookies and credentials to be submitted
/// across domains.
2018-01-10 22:41:33 +01:00
///
2018-04-14 01:02:01 +02:00
/// This option cannot be used in conjunction with an `allowed_origin` set
/// to `All` and `send_wildcards` set to `true`.
2018-01-10 22:41:33 +01:00
///
/// Defaults to `false`.
///
/// Builder panics if credentials are allowed, but the Origin is set to "*".
/// This is not allowed by W3C
2019-03-24 05:29:16 +01:00
pub fn supports_credentials(mut self) -> Cors {
2018-01-10 22:41:33 +01:00
if let Some(cors) = cors(&mut self.cors, &self.error) {
cors.supports_credentials = true
2018-01-10 08:55:42 +01:00
}
self
}
2018-01-10 22:41:33 +01:00
/// Disable `Vary` header support.
///
/// When enabled the header `Vary: Origin` will be returned as per the W3
/// implementation guidelines.
///
/// Setting this header when the `Access-Control-Allow-Origin` is
/// dynamically generated (e.g. when there is more than one allowed
/// origin, and an Origin than '*' is returned) informs CDNs and other
/// caches that the CORS headers are dynamic, and cannot be cached.
///
/// By default `vary` header support is enabled.
2019-03-24 05:29:16 +01:00
pub fn disable_vary_header(mut self) -> Cors {
2018-01-10 22:41:33 +01:00
if let Some(cors) = cors(&mut self.cors, &self.error) {
cors.vary_header = false
}
self
}
/// Disable *preflight* request support.
///
/// When enabled cors middleware automatically handles *OPTIONS* request.
/// This is useful application level middleware.
///
/// By default *preflight* support is enabled.
2019-03-24 05:29:16 +01:00
pub fn disable_preflight(mut self) -> Cors {
2018-01-10 22:41:33 +01:00
if let Some(cors) = cors(&mut self.cors, &self.error) {
cors.preflight = false
}
self
}
2019-11-21 05:54:07 +01:00
/// Construct cors middleware
pub fn finish(self) -> CorsFactory {
2019-03-24 05:29:16 +01:00
let mut slf = if !self.methods {
2018-04-14 01:02:01 +02:00
self.allowed_methods(vec![
Method::GET,
Method::HEAD,
Method::POST,
Method::OPTIONS,
Method::PUT,
Method::PATCH,
Method::DELETE,
2019-03-24 05:29:16 +01:00
])
} else {
self
};
2018-01-10 07:33:51 +01:00
2019-03-24 05:29:16 +01:00
if let Some(e) = slf.error.take() {
panic!("{}", e);
2018-01-10 22:41:33 +01:00
}
2019-03-24 05:29:16 +01:00
let mut cors = slf.cors.take().expect("cannot reuse CorsBuilder");
2018-01-10 22:41:33 +01:00
if cors.supports_credentials && cors.send_wildcard && cors.origins.is_all() {
panic!("Credentials are allowed, but the Origin is set to \"*\"");
2018-01-10 22:41:33 +01:00
}
if let AllOrSome::Some(ref origins) = cors.origins {
2018-04-29 18:09:08 +02:00
let s = origins
.iter()
.fold(String::new(), |s, v| format!("{}, {}", s, v));
cors.origins_str = Some(HeaderValue::try_from(&s[2..]).unwrap());
2018-01-10 22:41:33 +01:00
}
2019-03-24 05:29:16 +01:00
if !slf.expose_hdrs.is_empty() {
2018-01-10 22:41:33 +01:00
cors.expose_hdrs = Some(
2019-03-24 05:29:16 +01:00
slf.expose_hdrs
2018-08-23 18:48:01 +02:00
.iter()
.fold(String::new(), |s, v| format!("{}, {}", s, v.as_str()))[2..]
2018-08-23 18:48:01 +02:00
.to_owned(),
2018-04-14 01:02:01 +02:00
);
}
2019-03-24 05:29:16 +01:00
CorsFactory {
2018-04-14 01:02:01 +02:00
inner: Rc::new(cors),
2018-01-10 07:33:51 +01:00
}
2018-01-10 22:41:33 +01:00
}
2019-03-24 05:29:16 +01:00
}
2019-11-21 05:54:07 +01:00
fn cors<'a>(
parts: &'a mut Option<Inner>,
err: &Option<http::Error>,
) -> Option<&'a mut Inner> {
if err.is_some() {
return None;
}
parts.as_mut()
}
2019-03-24 05:29:16 +01:00
/// `Middleware` for Cross-origin resource sharing support
///
/// The Cors struct contains the settings for CORS requests to be validated and
/// for responses to be generated.
pub struct CorsFactory {
inner: Rc<Inner>,
}
impl<S, B> Transform<S> for CorsFactory
2019-03-24 05:29:16 +01:00
where
2019-04-25 20:14:32 +02:00
S: Service<Request = ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
2019-03-24 05:29:16 +01:00
S::Future: 'static,
B: 'static,
{
type Request = ServiceRequest;
2019-03-24 05:29:16 +01:00
type Response = ServiceResponse<B>;
2019-04-25 20:14:32 +02:00
type Error = Error;
2019-03-24 05:29:16 +01:00
type InitError = ();
type Transform = CorsMiddleware<S>;
2019-11-21 05:54:07 +01:00
type Future = Ready<Result<Self::Transform, Self::InitError>>;
2019-03-24 05:29:16 +01:00
fn new_transform(&self, service: S) -> Self::Future {
ok(CorsMiddleware {
service,
inner: self.inner.clone(),
})
}
2019-03-24 05:29:16 +01:00
}
2019-03-24 05:29:16 +01:00
/// `Middleware` for Cross-origin resource sharing support
///
/// The Cors struct contains the settings for CORS requests to be validated and
/// for responses to be generated.
#[derive(Clone)]
pub struct CorsMiddleware<S> {
service: S,
inner: Rc<Inner>,
}
struct Inner {
methods: HashSet<Method>,
origins: AllOrSome<HashSet<String>>,
origins_str: Option<HeaderValue>,
headers: AllOrSome<HashSet<HeaderName>>,
expose_hdrs: Option<String>,
max_age: Option<usize>,
preflight: bool,
send_wildcard: bool,
supports_credentials: bool,
vary_header: bool,
}
impl Inner {
fn validate_origin(&self, req: &RequestHead) -> Result<(), CorsError> {
if let Some(hdr) = req.headers().get(&header::ORIGIN) {
2019-03-24 05:29:16 +01:00
if let Ok(origin) = hdr.to_str() {
return match self.origins {
AllOrSome::All => Ok(()),
AllOrSome::Some(ref allowed_origins) => allowed_origins
.get(origin)
.and_then(|_| Some(()))
.ok_or_else(|| CorsError::OriginNotAllowed),
};
}
Err(CorsError::BadOrigin)
} else {
2019-07-17 11:48:37 +02:00
match self.origins {
2019-03-24 05:29:16 +01:00
AllOrSome::All => Ok(()),
_ => Err(CorsError::MissingOrigin),
2019-07-17 11:48:37 +02:00
}
}
2019-03-24 05:29:16 +01:00
}
2019-03-24 05:29:16 +01:00
fn access_control_allow_origin(&self, req: &RequestHead) -> Option<HeaderValue> {
match self.origins {
AllOrSome::All => {
if self.send_wildcard {
Some(HeaderValue::from_static("*"))
} else if let Some(origin) = req.headers().get(&header::ORIGIN) {
2019-03-24 05:29:16 +01:00
Some(origin.clone())
} else {
None
}
}
AllOrSome::Some(ref origins) => {
if let Some(origin) =
req.headers()
.get(&header::ORIGIN)
2019-03-24 05:29:16 +01:00
.filter(|o| match o.to_str() {
Ok(os) => origins.contains(os),
_ => false,
})
{
Some(origin.clone())
} else {
Some(self.origins_str.as_ref().unwrap().clone())
}
}
}
}
2019-03-24 05:29:16 +01:00
fn validate_allowed_method(&self, req: &RequestHead) -> Result<(), CorsError> {
if let Some(hdr) = req.headers().get(&header::ACCESS_CONTROL_REQUEST_METHOD) {
2019-03-24 05:29:16 +01:00
if let Ok(meth) = hdr.to_str() {
if let Ok(method) = Method::try_from(meth) {
return self
.methods
.get(&method)
.and_then(|_| Some(()))
.ok_or_else(|| CorsError::MethodNotAllowed);
}
}
Err(CorsError::BadRequestMethod)
} else {
Err(CorsError::MissingRequestMethod)
}
2019-03-24 05:29:16 +01:00
}
2019-03-24 05:29:16 +01:00
fn validate_allowed_headers(&self, req: &RequestHead) -> Result<(), CorsError> {
match self.headers {
AllOrSome::All => Ok(()),
AllOrSome::Some(ref allowed_headers) => {
if let Some(hdr) =
req.headers().get(&header::ACCESS_CONTROL_REQUEST_HEADERS)
2019-03-24 05:29:16 +01:00
{
if let Ok(headers) = hdr.to_str() {
let mut hdrs = HashSet::new();
for hdr in headers.split(',') {
match HeaderName::try_from(hdr.trim()) {
Ok(hdr) => hdrs.insert(hdr),
Err(_) => return Err(CorsError::BadRequestHeaders),
};
}
// `Access-Control-Request-Headers` must contain 1 or more
// `field-name`.
if !hdrs.is_empty() {
if !hdrs.is_subset(allowed_headers) {
return Err(CorsError::HeadersNotAllowed);
}
return Ok(());
2019-03-24 05:29:16 +01:00
}
}
Err(CorsError::BadRequestHeaders)
} else {
2019-07-17 11:48:37 +02:00
Ok(())
2019-03-24 05:29:16 +01:00
}
}
}
}
2018-01-10 22:41:33 +01:00
}
impl<S, B> Service for CorsMiddleware<S>
2019-03-24 05:29:16 +01:00
where
2019-04-25 20:14:32 +02:00
S: Service<Request = ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
2019-03-24 05:29:16 +01:00
S::Future: 'static,
B: 'static,
{
type Request = ServiceRequest;
2019-03-24 05:29:16 +01:00
type Response = ServiceResponse<B>;
2019-04-25 20:14:32 +02:00
type Error = Error;
2019-03-24 05:29:16 +01:00
type Future = Either<
2019-11-21 05:54:07 +01:00
Ready<Result<Self::Response, Error>>,
LocalBoxFuture<'static, Result<Self::Response, Error>>,
2019-03-24 05:29:16 +01:00
>;
2019-11-21 05:54:07 +01:00
fn poll_ready(&mut self, cx: &mut Context) -> Poll<Result<(), Self::Error>> {
self.service.poll_ready(cx)
2019-03-24 05:29:16 +01:00
}
2018-01-10 22:41:33 +01:00
fn call(&mut self, req: ServiceRequest) -> Self::Future {
2019-03-24 05:29:16 +01:00
if self.inner.preflight && Method::OPTIONS == *req.method() {
if let Err(e) = self
.inner
2019-04-02 22:35:01 +02:00
.validate_origin(req.head())
.and_then(|_| self.inner.validate_allowed_method(req.head()))
.and_then(|_| self.inner.validate_allowed_headers(req.head()))
2019-03-24 05:29:16 +01:00
{
2019-11-21 05:54:07 +01:00
return Either::Left(ok(req.error_response(e)));
2018-01-10 22:41:33 +01:00
}
2019-03-24 05:29:16 +01:00
// allowed headers
let headers = if let Some(headers) = self.inner.headers.as_ref() {
Some(
HeaderValue::try_from(
&headers
.iter()
.fold(String::new(), |s, v| s + "," + v.as_str())
.as_str()[1..],
)
.unwrap(),
)
} else if let Some(hdr) =
req.headers().get(&header::ACCESS_CONTROL_REQUEST_HEADERS)
2019-03-24 05:29:16 +01:00
{
Some(hdr.clone())
} else {
None
};
let res = HttpResponse::Ok()
.if_some(self.inner.max_age.as_ref(), |max_age, resp| {
let _ = resp.header(
header::ACCESS_CONTROL_MAX_AGE,
format!("{}", max_age).as_str(),
);
})
.if_some(headers, |headers, resp| {
let _ = resp.header(header::ACCESS_CONTROL_ALLOW_HEADERS, headers);
})
.if_some(
2019-04-02 22:35:01 +02:00
self.inner.access_control_allow_origin(req.head()),
2019-03-24 05:29:16 +01:00
|origin, resp| {
let _ = resp.header(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin);
},
)
.if_true(self.inner.supports_credentials, |resp| {
resp.header(header::ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
})
.header(
header::ACCESS_CONTROL_ALLOW_METHODS,
&self
.inner
.methods
.iter()
.fold(String::new(), |s, v| s + "," + v.as_str())
.as_str()[1..],
)
.finish()
.into_body();
2019-11-21 05:54:07 +01:00
Either::Left(ok(req.into_response(res)))
} else {
if req.headers().contains_key(&header::ORIGIN) {
// Only check requests with a origin header.
if let Err(e) = self.inner.validate_origin(req.head()) {
return Either::Left(ok(req.error_response(e)));
}
2018-01-10 22:41:33 +01:00
}
2019-03-24 05:29:16 +01:00
let inner = self.inner.clone();
2019-11-21 05:54:07 +01:00
let has_origin = req.headers().contains_key(&header::ORIGIN);
let fut = self.service.call(req);
Either::Right(
async move {
let res = fut.await;
if has_origin {
let mut res = res?;
if let Some(origin) =
inner.access_control_allow_origin(res.request().head())
{
res.headers_mut().insert(
header::ACCESS_CONTROL_ALLOW_ORIGIN,
origin.clone(),
);
};
if let Some(ref expose) = inner.expose_hdrs {
res.headers_mut().insert(
header::ACCESS_CONTROL_EXPOSE_HEADERS,
HeaderValue::try_from(expose.as_str()).unwrap(),
);
}
if inner.supports_credentials {
res.headers_mut().insert(
header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
HeaderValue::from_static("true"),
);
}
if inner.vary_header {
let value = if let Some(hdr) =
res.headers_mut().get(&header::VARY)
{
2019-03-24 05:29:16 +01:00
let mut val: Vec<u8> =
Vec::with_capacity(hdr.as_bytes().len() + 8);
val.extend(hdr.as_bytes());
val.extend(b", Origin");
HeaderValue::try_from(&val[..]).unwrap()
} else {
HeaderValue::from_static("Origin")
};
2019-11-21 05:54:07 +01:00
res.headers_mut().insert(header::VARY, value);
}
Ok(res)
} else {
res
2019-03-24 05:29:16 +01:00
}
2019-11-21 05:54:07 +01:00
}
.boxed_local(),
)
2018-01-10 22:41:33 +01:00
}
}
2019-03-24 05:29:16 +01:00
}
#[cfg(test)]
mod tests {
2019-11-21 05:54:07 +01:00
use actix_service::{service_fn2, Transform};
2019-11-26 06:25:50 +01:00
use actix_web::test::{self, TestRequest};
2019-03-24 05:29:16 +01:00
use super::*;
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
#[should_panic(expected = "Credentials are allowed, but the Origin is set to")]
2019-11-26 06:25:50 +01:00
async fn cors_validates_illegal_allow_credentials() {
2019-11-21 05:54:07 +01:00
let _cors = Cors::new().supports_credentials().send_wildcard().finish();
}
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
async fn validate_origin_allows_all_origins() {
let mut cors = Cors::new()
.finish()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://www.example.com")
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(resp.status(), StatusCode::OK);
2018-01-10 22:41:33 +01:00
}
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
async fn default() {
let mut cors = Cors::default()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://www.example.com")
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(resp.status(), StatusCode::OK);
2019-04-15 05:20:33 +02:00
}
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
async fn test_preflight() {
let mut cors = Cors::new()
.send_wildcard()
.max_age(3600)
.allowed_methods(vec![Method::GET, Method::OPTIONS, Method::POST])
.allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT])
.allowed_header(header::CONTENT_TYPE)
.finish()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://www.example.com")
.method(Method::OPTIONS)
.header(header::ACCESS_CONTROL_REQUEST_HEADERS, "X-Not-Allowed")
.to_srv_request();
assert!(cors.inner.validate_allowed_method(req.head()).is_err());
assert!(cors.inner.validate_allowed_headers(req.head()).is_err());
let resp = test::call_service(&mut cors, req).await;
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
let req = TestRequest::with_header("Origin", "https://www.example.com")
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "put")
.method(Method::OPTIONS)
.to_srv_request();
assert!(cors.inner.validate_allowed_method(req.head()).is_err());
assert!(cors.inner.validate_allowed_headers(req.head()).is_ok());
let req = TestRequest::with_header("Origin", "https://www.example.com")
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")
.header(
header::ACCESS_CONTROL_REQUEST_HEADERS,
"AUTHORIZATION,ACCEPT",
)
.method(Method::OPTIONS)
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(
&b"*"[..],
resp.headers()
.get(&header::ACCESS_CONTROL_ALLOW_ORIGIN)
2018-04-29 18:09:08 +02:00
.unwrap()
2019-11-26 06:25:50 +01:00
.as_bytes()
);
assert_eq!(
&b"3600"[..],
resp.headers()
.get(&header::ACCESS_CONTROL_MAX_AGE)
2018-04-29 18:09:08 +02:00
.unwrap()
2019-11-26 06:25:50 +01:00
.as_bytes()
);
let hdr = resp
.headers()
.get(&header::ACCESS_CONTROL_ALLOW_HEADERS)
.unwrap()
.to_str()
.unwrap();
assert!(hdr.contains("authorization"));
assert!(hdr.contains("accept"));
assert!(hdr.contains("content-type"));
let methods = resp
.headers()
.get(header::ACCESS_CONTROL_ALLOW_METHODS)
.unwrap()
.to_str()
.unwrap();
assert!(methods.contains("POST"));
assert!(methods.contains("GET"));
assert!(methods.contains("OPTIONS"));
Rc::get_mut(&mut cors.inner).unwrap().preflight = false;
let req = TestRequest::with_header("Origin", "https://www.example.com")
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")
.header(
header::ACCESS_CONTROL_REQUEST_HEADERS,
"AUTHORIZATION,ACCEPT",
)
.method(Method::OPTIONS)
.to_srv_request();
2019-03-24 05:29:16 +01:00
2019-11-26 06:25:50 +01:00
let resp = test::call_service(&mut cors, req).await;
assert_eq!(resp.status(), StatusCode::OK);
2018-01-10 07:33:51 +01:00
}
2018-01-10 23:20:00 +01:00
2019-11-26 06:25:50 +01:00
// #[actix_rt::test]
// #[should_panic(expected = "MissingOrigin")]
2019-11-26 06:25:50 +01:00
// async fn test_validate_missing_origin() {
2018-06-21 19:06:23 +02:00
// let cors = Cors::build()
// .allowed_origin("https://www.example.com")
// .finish();
// let mut req = HttpRequest::default();
2018-06-25 06:58:04 +02:00
// cors.start(&req).unwrap();
// }
2018-01-10 23:56:45 +01:00
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
2018-01-10 23:56:45 +01:00
#[should_panic(expected = "OriginNotAllowed")]
2019-11-26 06:25:50 +01:00
async fn test_validate_not_allowed_origin() {
let cors = Cors::new()
.allowed_origin("https://www.example.com")
.finish()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://www.unknown.com")
.method(Method::GET)
.to_srv_request();
cors.inner.validate_origin(req.head()).unwrap();
cors.inner.validate_allowed_method(req.head()).unwrap();
cors.inner.validate_allowed_headers(req.head()).unwrap();
2018-01-10 23:56:45 +01:00
}
2018-01-10 23:20:00 +01:00
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
async fn test_validate_origin() {
let mut cors = Cors::new()
.allowed_origin("https://www.example.com")
.finish()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://www.example.com")
.method(Method::GET)
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(resp.status(), StatusCode::OK);
2018-01-10 23:20:00 +01:00
}
2018-01-10 23:56:45 +01:00
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
async fn test_no_origin_response() {
let mut cors = Cors::new()
.disable_preflight()
.finish()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::default().method(Method::GET).to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert!(resp
.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.is_none());
let req = TestRequest::with_header("Origin", "https://www.example.com")
.method(Method::OPTIONS)
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(
&b"https://www.example.com"[..],
resp.headers()
2018-04-29 18:09:08 +02:00
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
2019-11-26 06:25:50 +01:00
.unwrap()
.as_bytes()
);
}
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
async fn test_response() {
let exposed_headers = vec![header::AUTHORIZATION, header::ACCEPT];
let mut cors = Cors::new()
.send_wildcard()
.disable_preflight()
.max_age(3600)
.allowed_methods(vec![Method::GET, Method::OPTIONS, Method::POST])
.allowed_headers(exposed_headers.clone())
.expose_headers(exposed_headers.clone())
.allowed_header(header::CONTENT_TYPE)
.finish()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://www.example.com")
.method(Method::OPTIONS)
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(
&b"*"[..],
resp.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.unwrap()
.as_bytes()
);
assert_eq!(
&b"Origin"[..],
resp.headers().get(header::VARY).unwrap().as_bytes()
);
{
let headers = resp
.headers()
.get(header::ACCESS_CONTROL_EXPOSE_HEADERS)
.unwrap()
.to_str()
.unwrap()
.split(',')
.map(|s| s.trim())
.collect::<Vec<&str>>();
2019-11-21 05:54:07 +01:00
2019-11-26 06:25:50 +01:00
for h in exposed_headers {
assert!(headers.contains(&h.as_str()));
2019-11-21 05:54:07 +01:00
}
2019-11-26 06:25:50 +01:00
}
2019-11-21 05:54:07 +01:00
2019-11-26 06:25:50 +01:00
let exposed_headers = vec![header::AUTHORIZATION, header::ACCEPT];
let mut cors = Cors::new()
.send_wildcard()
.disable_preflight()
.max_age(3600)
.allowed_methods(vec![Method::GET, Method::OPTIONS, Method::POST])
.allowed_headers(exposed_headers.clone())
.expose_headers(exposed_headers.clone())
.allowed_header(header::CONTENT_TYPE)
.finish()
.new_transform(service_fn2(|req: ServiceRequest| {
ok(req.into_response(
HttpResponse::Ok().header(header::VARY, "Accept").finish(),
))
}))
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://www.example.com")
.method(Method::OPTIONS)
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(
&b"Accept, Origin"[..],
resp.headers().get(header::VARY).unwrap().as_bytes()
);
let mut cors = Cors::new()
.disable_vary_header()
.allowed_origin("https://www.example.com")
.allowed_origin("https://www.google.com")
.finish()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://www.example.com")
.method(Method::OPTIONS)
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
let origins_str = resp
.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.unwrap()
.to_str()
.unwrap();
assert_eq!("https://www.example.com", origins_str);
}
2019-11-21 05:54:07 +01:00
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
async fn test_multiple_origins() {
let mut cors = Cors::new()
.allowed_origin("https://example.com")
.allowed_origin("https://example.org")
.allowed_methods(vec![Method::GET])
.finish()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://example.com")
.method(Method::GET)
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(
&b"https://example.com"[..],
resp.headers()
2019-11-21 05:54:07 +01:00
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.unwrap()
2019-11-26 06:25:50 +01:00
.as_bytes()
);
2019-11-26 06:25:50 +01:00
let req = TestRequest::with_header("Origin", "https://example.org")
.method(Method::GET)
.to_srv_request();
2019-11-26 06:25:50 +01:00
let resp = test::call_service(&mut cors, req).await;
assert_eq!(
&b"https://example.org"[..],
resp.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.unwrap()
.as_bytes()
);
}
2019-11-26 06:25:50 +01:00
#[actix_rt::test]
async fn test_multiple_origins_preflight() {
let mut cors = Cors::new()
.allowed_origin("https://example.com")
.allowed_origin("https://example.org")
.allowed_methods(vec![Method::GET])
.finish()
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::with_header("Origin", "https://example.com")
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "GET")
.method(Method::OPTIONS)
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(
&b"https://example.com"[..],
resp.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.unwrap()
.as_bytes()
);
let req = TestRequest::with_header("Origin", "https://example.org")
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "GET")
.method(Method::OPTIONS)
.to_srv_request();
let resp = test::call_service(&mut cors, req).await;
assert_eq!(
&b"https://example.org"[..],
resp.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.unwrap()
.as_bytes()
);
}
2018-01-10 07:33:51 +01:00
}