1
0
mirror of https://github.com/actix/actix-extras.git synced 2024-11-24 07:53:00 +01:00
actix-extras/actix-cors/src/middleware.rs

224 lines
6.8 KiB
Rust
Raw Normal View History

use std::{
convert::TryInto,
rc::Rc,
task::{Context, Poll},
};
use actix_web::{
dev::{Service, ServiceRequest, ServiceResponse},
error::{Error, Result},
http::{
header::{self, HeaderValue},
Method,
},
HttpResponse,
};
use futures_util::future::{ok, Either, FutureExt as _, LocalBoxFuture, Ready};
2020-10-19 06:51:31 +02:00
use log::debug;
use crate::Inner;
/// Service wrapper for Cross-Origin Resource Sharing support.
///
/// This struct contains the settings for CORS requests to be validated and for responses to
/// be generated.
#[doc(hidden)]
#[derive(Debug, Clone)]
pub struct CorsMiddleware<S> {
pub(crate) service: S,
pub(crate) inner: Rc<Inner>,
}
2020-10-19 06:51:31 +02:00
impl<S> CorsMiddleware<S> {
fn handle_preflight<B>(inner: &Inner, req: ServiceRequest) -> ServiceResponse<B> {
if let Err(err) = inner
.validate_origin(req.head())
.and_then(|_| inner.validate_allowed_method(req.head()))
.and_then(|_| inner.validate_allowed_headers(req.head()))
{
return req.error_response(err);
}
let mut res = HttpResponse::Ok();
if let Some(origin) = inner.access_control_allow_origin(req.head()) {
2021-03-21 23:50:26 +01:00
res.insert_header((header::ACCESS_CONTROL_ALLOW_ORIGIN, origin));
2020-10-19 06:51:31 +02:00
}
if let Some(ref allowed_methods) = inner.allowed_methods_baked {
2021-03-21 23:50:26 +01:00
res.insert_header((
2020-10-19 06:51:31 +02:00
header::ACCESS_CONTROL_ALLOW_METHODS,
allowed_methods.clone(),
2021-03-21 23:50:26 +01:00
));
2020-10-19 06:51:31 +02:00
}
if let Some(ref headers) = inner.allowed_headers_baked {
2021-03-21 23:50:26 +01:00
res.insert_header((header::ACCESS_CONTROL_ALLOW_HEADERS, headers.clone()));
2020-10-19 06:51:31 +02:00
} else if let Some(headers) =
req.headers().get(header::ACCESS_CONTROL_REQUEST_HEADERS)
{
// all headers allowed, return
2021-03-21 23:50:26 +01:00
res.insert_header((header::ACCESS_CONTROL_ALLOW_HEADERS, headers.clone()));
2020-10-19 06:51:31 +02:00
}
if inner.supports_credentials {
2021-03-21 23:50:26 +01:00
res.insert_header((
2020-10-19 06:51:31 +02:00
header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
HeaderValue::from_static("true"),
2021-03-21 23:50:26 +01:00
));
2020-10-19 06:51:31 +02:00
}
if let Some(max_age) = inner.max_age {
2021-03-21 23:50:26 +01:00
res.insert_header((header::ACCESS_CONTROL_MAX_AGE, max_age.to_string()));
2020-10-19 06:51:31 +02:00
}
let res = res.finish();
let res = res.into_body();
req.into_response(res)
}
fn augment_response<B>(
inner: &Inner,
mut res: ServiceResponse<B>,
) -> ServiceResponse<B> {
if let Some(origin) = inner.access_control_allow_origin(res.request().head()) {
res.headers_mut()
.insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin);
};
if let Some(ref expose) = inner.expose_headers_baked {
res.headers_mut()
.insert(header::ACCESS_CONTROL_EXPOSE_HEADERS, expose.clone());
}
if inner.supports_credentials {
res.headers_mut().insert(
header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
HeaderValue::from_static("true"),
);
}
if inner.vary_header {
let value = match res.headers_mut().get(header::VARY) {
Some(hdr) => {
let mut val: Vec<u8> = Vec::with_capacity(hdr.len() + 8);
val.extend(hdr.as_bytes());
val.extend(b", Origin");
val.try_into().unwrap()
}
None => HeaderValue::from_static("Origin"),
};
res.headers_mut().insert(header::VARY, value);
}
res
}
}
type CorsMiddlewareServiceFuture<B> = Either<
Ready<Result<ServiceResponse<B>, Error>>,
LocalBoxFuture<'static, Result<ServiceResponse<B>, Error>>,
>;
2021-03-21 23:50:26 +01:00
impl<S, B> Service<ServiceRequest> for CorsMiddleware<S>
where
2021-03-21 23:50:26 +01:00
S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
S::Future: 'static,
B: 'static,
{
type Response = ServiceResponse<B>;
type Error = Error;
type Future = CorsMiddlewareServiceFuture<B>;
2021-03-21 23:50:26 +01:00
fn poll_ready(&self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
self.service.poll_ready(cx)
}
2021-03-21 23:50:26 +01:00
fn call(&self, req: ServiceRequest) -> Self::Future {
2020-10-19 06:51:31 +02:00
if self.inner.preflight && req.method() == Method::OPTIONS {
let inner = Rc::clone(&self.inner);
let res = Self::handle_preflight(&inner, req);
Either::Left(ok(res))
} else {
2020-10-19 06:51:31 +02:00
let origin = req.headers().get(header::ORIGIN).cloned();
if origin.is_some() {
// Only check requests with a origin header.
2020-10-19 06:51:31 +02:00
if let Err(err) = self.inner.validate_origin(req.head()) {
debug!("origin validation failed; inner service is not called");
return Either::Left(ok(req.error_response(err)));
}
}
let inner = Rc::clone(&self.inner);
let fut = self.service.call(req);
2020-10-19 06:51:31 +02:00
let res = async move {
let res = fut.await;
if origin.is_some() {
let res = res?;
Ok(Self::augment_response(&inner, res))
} else {
res
}
2020-10-19 06:51:31 +02:00
}
.boxed_local();
Either::Right(res)
}
}
}
2020-10-19 06:51:31 +02:00
#[cfg(test)]
mod tests {
use actix_web::{
dev::Transform,
test::{self, TestRequest},
};
use super::*;
use crate::Cors;
#[actix_rt::test]
async fn test_options_no_origin() {
// Tests case where allowed_origins is All but there are validate functions to run incase.
// In this case, origins are only allowed when the DNT header is sent.
2021-03-21 23:50:26 +01:00
let cors = Cors::default()
2020-10-19 06:51:31 +02:00
.allow_any_origin()
.allowed_origin_fn(|origin, req_head| {
assert_eq!(&origin, req_head.headers.get(header::ORIGIN).unwrap());
req_head.headers().contains_key(header::DNT)
})
2020-10-19 06:51:31 +02:00
.new_transform(test::ok_service())
.await
.unwrap();
let req = TestRequest::get()
2021-03-21 23:50:26 +01:00
.insert_header((header::ORIGIN, "http://example.com"))
2020-10-19 06:51:31 +02:00
.to_srv_request();
let res = cors.call(req).await.unwrap();
assert_eq!(
None,
res.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.map(HeaderValue::as_bytes)
);
let req = TestRequest::get()
2021-03-21 23:50:26 +01:00
.insert_header((header::ORIGIN, "http://example.com"))
.insert_header((header::DNT, "1"))
2020-10-19 06:51:31 +02:00
.to_srv_request();
let res = cors.call(req).await.unwrap();
assert_eq!(
Some(&b"http://example.com"[..]),
res.headers()
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
.map(HeaderValue::as_bytes)
);
}
}