actix-extras/actix-cors/src/middleware.rs

use std::{collections::HashSet, convert::TryInto, error::Error as StdError, rc::Rc};

use actix_utils::future::ok;
use actix_web::{
    body::{EitherBody, MessageBody},
    dev::{Service, ServiceRequest, ServiceResponse},
    error::{Error, Result},
    http::{
        header::{self, HeaderValue},
        Method,
    },
    HttpResponse,
};
use futures_util::future::{FutureExt as _, LocalBoxFuture};
use log::debug;

use crate::{builder::intersperse_header_values, AllOrSome, Inner};

/// Service wrapper for Cross-Origin Resource Sharing support.
///
/// This struct contains the settings for CORS requests to be validated and for responses to
/// be generated.
#[doc(hidden)]
#[derive(Debug, Clone)]
pub struct CorsMiddleware<S> {
    pub(crate) service: S,
    pub(crate) inner: Rc<Inner>,
}

impl<S> CorsMiddleware<S> {
    fn handle_preflight(inner: &Inner, req: ServiceRequest) -> ServiceResponse {
        if let Err(err) = inner
            .validate_origin(req.head())
            .and_then(|_| inner.validate_allowed_method(req.head()))
            .and_then(|_| inner.validate_allowed_headers(req.head()))
        {
            return req.error_response(err);
        }

        let mut res = HttpResponse::Ok();

        if let Some(origin) = inner.access_control_allow_origin(req.head()) {
            res.insert_header((header::ACCESS_CONTROL_ALLOW_ORIGIN, origin));
        }

        if let Some(ref allowed_methods) = inner.allowed_methods_baked {
            res.insert_header((
                header::ACCESS_CONTROL_ALLOW_METHODS,
                allowed_methods.clone(),
            ));
        }

        if let Some(ref headers) = inner.allowed_headers_baked {
            res.insert_header((header::ACCESS_CONTROL_ALLOW_HEADERS, headers.clone()));
        } else if let Some(headers) = req.headers().get(header::ACCESS_CONTROL_REQUEST_HEADERS) {
            // all headers allowed, return
            res.insert_header((header::ACCESS_CONTROL_ALLOW_HEADERS, headers.clone()));
        }

        if inner.supports_credentials {
            res.insert_header((
                header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
                HeaderValue::from_static("true"),
            ));
        }

        if let Some(max_age) = inner.max_age {
            res.insert_header((header::ACCESS_CONTROL_MAX_AGE, max_age.to_string()));
        }

        let res = res.finish();
        req.into_response(res)
    }

    fn augment_response<B>(inner: &Inner, mut res: ServiceResponse<B>) -> ServiceResponse<B> {
        if let Some(origin) = inner.access_control_allow_origin(res.request().head()) {
            res.headers_mut()
                .insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin);
        };

        if let Some(ref expose) = inner.expose_headers_baked {
            log::trace!("exposing selected headers: {:?}", expose);

            res.headers_mut()
                .insert(header::ACCESS_CONTROL_EXPOSE_HEADERS, expose.clone());
        } else if matches!(inner.expose_headers, AllOrSome::All) {
            // intersperse_header_values requires that argument is non-empty
            if !res.request().headers().is_empty() {
                // extract header names from request
                let expose_all_request_headers = res
                    .request()
                    .headers()
                    .keys()
                    .into_iter()
                    .map(|name| name.as_str())
                    .collect::<HashSet<_>>();

                // create comma separated string of header names
                let expose_headers_value = intersperse_header_values(&expose_all_request_headers);

                log::trace!(
                    "exposing all headers from request: {:?}",
                    expose_headers_value
                );

                // add header names to expose response header
                res.headers_mut()
                    .insert(header::ACCESS_CONTROL_EXPOSE_HEADERS, expose_headers_value);
            }
        }

        if inner.supports_credentials {
            res.headers_mut().insert(
                header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
                HeaderValue::from_static("true"),
            );
        }

        if inner.vary_header {
            let value = match res.headers_mut().get(header::VARY) {
                Some(hdr) => {
                    let mut val: Vec<u8> = Vec::with_capacity(hdr.len() + 8);
                    val.extend(hdr.as_bytes());
                    val.extend(b", Origin");
                    val.try_into().unwrap()
                }
                None => HeaderValue::from_static("Origin"),
            };

            res.headers_mut().insert(header::VARY, value);
        }

        res
    }
}

impl<S, B> Service<ServiceRequest> for CorsMiddleware<S>
where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
    S::Future: 'static,
    B: MessageBody + 'static,
    B::Error: StdError,
{
    type Response = ServiceResponse<EitherBody<B>>;
    type Error = Error;
    type Future = LocalBoxFuture<'static, Result<ServiceResponse<EitherBody<B>>, Error>>;

    actix_service::forward_ready!(service);

    fn call(&self, req: ServiceRequest) -> Self::Future {
        if self.inner.preflight && req.method() == Method::OPTIONS {
            let inner = Rc::clone(&self.inner);
            let res = Self::handle_preflight(&inner, req);
            ok(res.map_into_right_body()).boxed_local()
        } else {
            let origin = req.headers().get(header::ORIGIN).cloned();

            if origin.is_some() {
                // Only check requests with a origin header.
                if let Err(err) = self.inner.validate_origin(req.head()) {
                    debug!("origin validation failed; inner service is not called");
                    return ok(req.error_response(err).map_into_right_body()).boxed_local();
                }
            }

            let inner = Rc::clone(&self.inner);
            let fut = self.service.call(req);

            async move {
                let res = fut.await;

                if origin.is_some() {
                    Ok(Self::augment_response(&inner, res?))
                } else {
                    res
                }
                .map(|res| res.map_into_left_body())
            }
            .boxed_local()
        }
    }
}

#[cfg(test)]
mod tests {
    use actix_web::{
        dev::Transform,
        test::{self, TestRequest},
    };

    use super::*;
    use crate::Cors;

    #[actix_rt::test]
    async fn test_options_no_origin() {
        // Tests case where allowed_origins is All but there are validate functions to run incase.
        // In this case, origins are only allowed when the DNT header is sent.

        let cors = Cors::default()
            .allow_any_origin()
            .allowed_origin_fn(|origin, req_head| {
                assert_eq!(&origin, req_head.headers.get(header::ORIGIN).unwrap());

                req_head.headers().contains_key(header::DNT)
            })
            .new_transform(test::ok_service())
            .await
            .unwrap();

        let req = TestRequest::get()
            .insert_header((header::ORIGIN, "http://example.com"))
            .to_srv_request();
        let res = cors.call(req).await.unwrap();
        assert_eq!(
            None,
            res.headers()
                .get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
                .map(HeaderValue::as_bytes)
        );

        let req = TestRequest::get()
            .insert_header((header::ORIGIN, "http://example.com"))
            .insert_header((header::DNT, "1"))
            .to_srv_request();
        let res = cors.call(req).await.unwrap();
        assert_eq!(
            Some(&b"http://example.com"[..]),
            res.headers()
                .get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
                .map(HeaderValue::as_bytes)
        );
    }
}
fix cors expose_any_header behavior (#204) 2021-10-21 16:47:56 +02:00			`use std::{collections::HashSet, convert::TryInto, error::Error as StdError, rc::Rc};`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00
migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`use actix_utils::future::ok;`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`use actix_web::{`
migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`body::{EitherBody, MessageBody},`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`dev::{Service, ServiceRequest, ServiceResponse},`
			`error::{Error, Result},`
			`http::{`
			`header::{self, HeaderValue},`
			`Method,`
			`},`
			`HttpResponse,`
			`};`
migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`use futures_util::future::{FutureExt as _, LocalBoxFuture};`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`use log::debug;`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00
fix cors expose_any_header behavior (#204) 2021-10-21 16:47:56 +02:00			`use crate::{builder::intersperse_header_values, AllOrSome, Inner};`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00
			`/// Service wrapper for Cross-Origin Resource Sharing support.`
			`///`
			`/// This struct contains the settings for CORS requests to be validated and for responses to`
			`/// be generated.`
cors: hide service struct from docs (#118) This hides `CorsMiddleware` from rustdocs, following the pattern of the rest of `actix_web::middleware` implementations. 2020-10-17 00:01:30 +02:00			`#[doc(hidden)]`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`#[derive(Debug, Clone)]`
			`pub struct CorsMiddleware<S> {`
			`pub(crate) service: S,`
			`pub(crate) inner: Rc<Inner>,`
			`}`

CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`impl<S> CorsMiddleware<S> {`
fix doctest ci (#188) 2021-06-27 08:02:38 +02:00			`fn handle_preflight(inner: &Inner, req: ServiceRequest) -> ServiceResponse {`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`if let Err(err) = inner`
			`.validate_origin(req.head())`
			`.and_then(\|_\| inner.validate_allowed_method(req.head()))`
			`.and_then(\|_\| inner.validate_allowed_headers(req.head()))`
			`{`
			`return req.error_response(err);`
			`}`

			`let mut res = HttpResponse::Ok();`

			`if let Some(origin) = inner.access_control_allow_origin(req.head()) {`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`res.insert_header((header::ACCESS_CONTROL_ALLOW_ORIGIN, origin));`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`}`

			`if let Some(ref allowed_methods) = inner.allowed_methods_baked {`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`res.insert_header((`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`header::ACCESS_CONTROL_ALLOW_METHODS,`
			`allowed_methods.clone(),`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`));`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`}`

			`if let Some(ref headers) = inner.allowed_headers_baked {`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`res.insert_header((header::ACCESS_CONTROL_ALLOW_HEADERS, headers.clone()));`
fmt with new width 2021-08-31 00:27:44 +02:00			`} else if let Some(headers) = req.headers().get(header::ACCESS_CONTROL_REQUEST_HEADERS) {`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`// all headers allowed, return`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`res.insert_header((header::ACCESS_CONTROL_ALLOW_HEADERS, headers.clone()));`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`}`

			`if inner.supports_credentials {`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`res.insert_header((`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`header::ACCESS_CONTROL_ALLOW_CREDENTIALS,`
			`HeaderValue::from_static("true"),`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`));`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`}`

			`if let Some(max_age) = inner.max_age {`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`res.insert_header((header::ACCESS_CONTROL_MAX_AGE, max_age.to_string()));`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`}`

			`let res = res.finish();`
			`req.into_response(res)`
			`}`

fmt with new width 2021-08-31 00:27:44 +02:00			`fn augment_response<B>(inner: &Inner, mut res: ServiceResponse<B>) -> ServiceResponse<B> {`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`if let Some(origin) = inner.access_control_allow_origin(res.request().head()) {`
			`res.headers_mut()`
			`.insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin);`
			`};`

			`if let Some(ref expose) = inner.expose_headers_baked {`
fix cors expose_any_header behavior (#204) 2021-10-21 16:47:56 +02:00			`log::trace!("exposing selected headers: {:?}", expose);`

CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`res.headers_mut()`
			`.insert(header::ACCESS_CONTROL_EXPOSE_HEADERS, expose.clone());`
fix cors expose_any_header behavior (#204) 2021-10-21 16:47:56 +02:00			`} else if matches!(inner.expose_headers, AllOrSome::All) {`
			`// intersperse_header_values requires that argument is non-empty`
			`if !res.request().headers().is_empty() {`
			`// extract header names from request`
			`let expose_all_request_headers = res`
			`.request()`
			`.headers()`
			`.keys()`
			`.into_iter()`
			`.map(\|name\| name.as_str())`
			`.collect::<HashSet<_>>();`

			`// create comma separated string of header names`
			`let expose_headers_value = intersperse_header_values(&expose_all_request_headers);`

			`log::trace!(`
			`"exposing all headers from request: {:?}",`
			`expose_headers_value`
			`);`

			`// add header names to expose response header`
			`res.headers_mut()`
			`.insert(header::ACCESS_CONTROL_EXPOSE_HEADERS, expose_headers_value);`
			`}`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`}`

			`if inner.supports_credentials {`
			`res.headers_mut().insert(`
			`header::ACCESS_CONTROL_ALLOW_CREDENTIALS,`
			`HeaderValue::from_static("true"),`
			`);`
			`}`

			`if inner.vary_header {`
			`let value = match res.headers_mut().get(header::VARY) {`
			`Some(hdr) => {`
			`let mut val: Vec<u8> = Vec::with_capacity(hdr.len() + 8);`
			`val.extend(hdr.as_bytes());`
			`val.extend(b", Origin");`
			`val.try_into().unwrap()`
			`}`
			`None => HeaderValue::from_static("Origin"),`
			`};`

			`res.headers_mut().insert(header::VARY, value);`
			`}`

			`res`
			`}`
			`}`

Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`impl<S, B> Service<ServiceRequest> for CorsMiddleware<S>`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`where`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`S::Future: 'static,`
fix doctest ci (#188) 2021-06-27 08:02:38 +02:00			`B: MessageBody + 'static,`
			`B::Error: StdError,`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`{`
migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`type Response = ServiceResponse<EitherBody<B>>;`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`type Error = Error;`
migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`type Future = LocalBoxFuture<'static, Result<ServiceResponse<EitherBody<B>>, Error>>;`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00
use forward_ready for service definitions 2021-03-22 06:18:59 +01:00			`actix_service::forward_ready!(service);`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`fn call(&self, req: ServiceRequest) -> Self::Future {`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`if self.inner.preflight && req.method() == Method::OPTIONS {`
			`let inner = Rc::clone(&self.inner);`
			`let res = Self::handle_preflight(&inner, req);`
migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`ok(res.map_into_right_body()).boxed_local()`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`} else {`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`let origin = req.headers().get(header::ORIGIN).cloned();`

			`if origin.is_some() {`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`// Only check requests with a origin header.`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`if let Err(err) = self.inner.validate_origin(req.head()) {`
			`debug!("origin validation failed; inner service is not called");`
migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`return ok(req.error_response(err).map_into_right_body()).boxed_local();`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`}`
			`}`

			`let inner = Rc::clone(&self.inner);`
			`let fut = self.service.call(req);`

migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`async move {`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`let res = fut.await;`

			`if origin.is_some() {`
stop cloning request across service call (#213) 2021-12-13 03:49:27 +01:00			`Ok(Self::augment_response(&inner, res?))`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`} else {`
			`res`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`}`
migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`.map(\|res\| res.map_into_left_body())`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`}`
migrate to actix-web beta 14 (#209) 2021-12-11 17:05:21 +01:00			`.boxed_local()`
split up cors lib and fix doc links (#113) * split up cors lib and fix doc links * clippy 2020-10-08 12:50:56 +02:00			`}`
			`}`
			`}`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00
			`#[cfg(test)]`
			`mod tests {`
			`use actix_web::{`
			`dev::Transform,`
			`test::{self, TestRequest},`
			`};`

			`use super::*;`
			`use crate::Cors;`

			`#[actix_rt::test]`
			`async fn test_options_no_origin() {`
			`// Tests case where allowed_origins is All but there are validate functions to run incase.`
			`// In this case, origins are only allowed when the DNT header is sent.`

Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`let cors = Cors::default()`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`.allow_any_origin()`
cors origin validator function receives origin as first parameter (#120) 2020-10-19 20:30:46 +02:00			`.allowed_origin_fn(\|origin, req_head\| {`
			`assert_eq!(&origin, req_head.headers.get(header::ORIGIN).unwrap());`

			`req_head.headers().contains_key(header::DNT)`
			`})`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`.new_transform(test::ok_service())`
			`.await`
			`.unwrap();`

			`let req = TestRequest::get()`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`.insert_header((header::ORIGIN, "http://example.com"))`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`.to_srv_request();`
			`let res = cors.call(req).await.unwrap();`
			`assert_eq!(`
			`None,`
			`res.headers()`
			`.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)`
			`.map(HeaderValue::as_bytes)`
			`);`

			`let req = TestRequest::get()`
Update dependencies (Tokio 1.0) (#144) 2021-03-21 23:50:26 +01:00			`.insert_header((header::ORIGIN, "http://example.com"))`
			`.insert_header((header::DNT, "1"))`
CORS builder rework (#119) 2020-10-19 06:51:31 +02:00			`.to_srv_request();`
			`let res = cors.call(req).await.unwrap();`
			`assert_eq!(`
			`Some(&b"http://example.com"[..]),`
			`res.headers()`
			`.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)`
			`.map(HeaderValue::as_bytes)`
			`);`
			`}`
			`}`