2021-06-27 08:02:38 +02:00
|
|
|
use std::{convert::TryInto, error::Error as StdError, rc::Rc};
|
2020-10-08 12:50:56 +02:00
|
|
|
|
|
|
|
use actix_web::{
|
2021-06-27 08:02:38 +02:00
|
|
|
body::{AnyBody, MessageBody},
|
2020-10-08 12:50:56 +02:00
|
|
|
dev::{Service, ServiceRequest, ServiceResponse},
|
|
|
|
error::{Error, Result},
|
|
|
|
http::{
|
|
|
|
header::{self, HeaderValue},
|
|
|
|
Method,
|
|
|
|
},
|
|
|
|
HttpResponse,
|
|
|
|
};
|
2021-06-27 08:02:38 +02:00
|
|
|
use futures_util::future::{
|
|
|
|
ok, Either, FutureExt as _, LocalBoxFuture, Ready, TryFutureExt as _,
|
|
|
|
};
|
2020-10-19 06:51:31 +02:00
|
|
|
use log::debug;
|
2020-10-08 12:50:56 +02:00
|
|
|
|
|
|
|
use crate::Inner;
|
|
|
|
|
|
|
|
/// Service wrapper for Cross-Origin Resource Sharing support.
|
|
|
|
///
|
|
|
|
/// This struct contains the settings for CORS requests to be validated and for responses to
|
|
|
|
/// be generated.
|
2020-10-17 00:01:30 +02:00
|
|
|
#[doc(hidden)]
|
2020-10-08 12:50:56 +02:00
|
|
|
#[derive(Debug, Clone)]
|
|
|
|
pub struct CorsMiddleware<S> {
|
|
|
|
pub(crate) service: S,
|
|
|
|
pub(crate) inner: Rc<Inner>,
|
|
|
|
}
|
|
|
|
|
2020-10-19 06:51:31 +02:00
|
|
|
impl<S> CorsMiddleware<S> {
|
2021-06-27 08:02:38 +02:00
|
|
|
fn handle_preflight(inner: &Inner, req: ServiceRequest) -> ServiceResponse {
|
2020-10-19 06:51:31 +02:00
|
|
|
if let Err(err) = inner
|
|
|
|
.validate_origin(req.head())
|
|
|
|
.and_then(|_| inner.validate_allowed_method(req.head()))
|
|
|
|
.and_then(|_| inner.validate_allowed_headers(req.head()))
|
|
|
|
{
|
|
|
|
return req.error_response(err);
|
|
|
|
}
|
|
|
|
|
|
|
|
let mut res = HttpResponse::Ok();
|
|
|
|
|
|
|
|
if let Some(origin) = inner.access_control_allow_origin(req.head()) {
|
2021-03-21 23:50:26 +01:00
|
|
|
res.insert_header((header::ACCESS_CONTROL_ALLOW_ORIGIN, origin));
|
2020-10-19 06:51:31 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(ref allowed_methods) = inner.allowed_methods_baked {
|
2021-03-21 23:50:26 +01:00
|
|
|
res.insert_header((
|
2020-10-19 06:51:31 +02:00
|
|
|
header::ACCESS_CONTROL_ALLOW_METHODS,
|
|
|
|
allowed_methods.clone(),
|
2021-03-21 23:50:26 +01:00
|
|
|
));
|
2020-10-19 06:51:31 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(ref headers) = inner.allowed_headers_baked {
|
2021-03-21 23:50:26 +01:00
|
|
|
res.insert_header((header::ACCESS_CONTROL_ALLOW_HEADERS, headers.clone()));
|
2020-10-19 06:51:31 +02:00
|
|
|
} else if let Some(headers) =
|
|
|
|
req.headers().get(header::ACCESS_CONTROL_REQUEST_HEADERS)
|
|
|
|
{
|
|
|
|
// all headers allowed, return
|
2021-03-21 23:50:26 +01:00
|
|
|
res.insert_header((header::ACCESS_CONTROL_ALLOW_HEADERS, headers.clone()));
|
2020-10-19 06:51:31 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if inner.supports_credentials {
|
2021-03-21 23:50:26 +01:00
|
|
|
res.insert_header((
|
2020-10-19 06:51:31 +02:00
|
|
|
header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
|
|
|
|
HeaderValue::from_static("true"),
|
2021-03-21 23:50:26 +01:00
|
|
|
));
|
2020-10-19 06:51:31 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(max_age) = inner.max_age {
|
2021-03-21 23:50:26 +01:00
|
|
|
res.insert_header((header::ACCESS_CONTROL_MAX_AGE, max_age.to_string()));
|
2020-10-19 06:51:31 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
let res = res.finish();
|
|
|
|
req.into_response(res)
|
|
|
|
}
|
|
|
|
|
|
|
|
fn augment_response<B>(
|
|
|
|
inner: &Inner,
|
|
|
|
mut res: ServiceResponse<B>,
|
|
|
|
) -> ServiceResponse<B> {
|
|
|
|
if let Some(origin) = inner.access_control_allow_origin(res.request().head()) {
|
|
|
|
res.headers_mut()
|
|
|
|
.insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin);
|
|
|
|
};
|
|
|
|
|
|
|
|
if let Some(ref expose) = inner.expose_headers_baked {
|
|
|
|
res.headers_mut()
|
|
|
|
.insert(header::ACCESS_CONTROL_EXPOSE_HEADERS, expose.clone());
|
|
|
|
}
|
|
|
|
|
|
|
|
if inner.supports_credentials {
|
|
|
|
res.headers_mut().insert(
|
|
|
|
header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
|
|
|
|
HeaderValue::from_static("true"),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
if inner.vary_header {
|
|
|
|
let value = match res.headers_mut().get(header::VARY) {
|
|
|
|
Some(hdr) => {
|
|
|
|
let mut val: Vec<u8> = Vec::with_capacity(hdr.len() + 8);
|
|
|
|
val.extend(hdr.as_bytes());
|
|
|
|
val.extend(b", Origin");
|
|
|
|
val.try_into().unwrap()
|
|
|
|
}
|
|
|
|
None => HeaderValue::from_static("Origin"),
|
|
|
|
};
|
|
|
|
|
|
|
|
res.headers_mut().insert(header::VARY, value);
|
|
|
|
}
|
|
|
|
|
|
|
|
res
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-27 08:02:38 +02:00
|
|
|
type CorsMiddlewareServiceFuture = Either<
|
|
|
|
Ready<Result<ServiceResponse, Error>>,
|
|
|
|
LocalBoxFuture<'static, Result<ServiceResponse, Error>>,
|
2020-10-08 12:50:56 +02:00
|
|
|
>;
|
|
|
|
|
2021-03-21 23:50:26 +01:00
|
|
|
impl<S, B> Service<ServiceRequest> for CorsMiddleware<S>
|
2020-10-08 12:50:56 +02:00
|
|
|
where
|
2021-03-21 23:50:26 +01:00
|
|
|
S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
|
2020-10-08 12:50:56 +02:00
|
|
|
S::Future: 'static,
|
2021-06-27 08:02:38 +02:00
|
|
|
B: MessageBody + 'static,
|
|
|
|
B::Error: StdError,
|
2020-10-08 12:50:56 +02:00
|
|
|
{
|
2021-06-27 08:02:38 +02:00
|
|
|
type Response = ServiceResponse;
|
2020-10-08 12:50:56 +02:00
|
|
|
type Error = Error;
|
2021-06-27 08:02:38 +02:00
|
|
|
type Future = CorsMiddlewareServiceFuture;
|
2020-10-08 12:50:56 +02:00
|
|
|
|
2021-03-22 06:18:59 +01:00
|
|
|
actix_service::forward_ready!(service);
|
2020-10-08 12:50:56 +02:00
|
|
|
|
2021-03-21 23:50:26 +01:00
|
|
|
fn call(&self, req: ServiceRequest) -> Self::Future {
|
2020-10-19 06:51:31 +02:00
|
|
|
if self.inner.preflight && req.method() == Method::OPTIONS {
|
|
|
|
let inner = Rc::clone(&self.inner);
|
|
|
|
let res = Self::handle_preflight(&inner, req);
|
|
|
|
Either::Left(ok(res))
|
2020-10-08 12:50:56 +02:00
|
|
|
} else {
|
2020-10-19 06:51:31 +02:00
|
|
|
let origin = req.headers().get(header::ORIGIN).cloned();
|
|
|
|
|
|
|
|
if origin.is_some() {
|
2020-10-08 12:50:56 +02:00
|
|
|
// Only check requests with a origin header.
|
2020-10-19 06:51:31 +02:00
|
|
|
if let Err(err) = self.inner.validate_origin(req.head()) {
|
|
|
|
debug!("origin validation failed; inner service is not called");
|
|
|
|
return Either::Left(ok(req.error_response(err)));
|
2020-10-08 12:50:56 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
let inner = Rc::clone(&self.inner);
|
|
|
|
let fut = self.service.call(req);
|
|
|
|
|
2020-10-19 06:51:31 +02:00
|
|
|
let res = async move {
|
|
|
|
let res = fut.await;
|
|
|
|
|
|
|
|
if origin.is_some() {
|
|
|
|
let res = res?;
|
|
|
|
Ok(Self::augment_response(&inner, res))
|
|
|
|
} else {
|
|
|
|
res
|
2020-10-08 12:50:56 +02:00
|
|
|
}
|
2020-10-19 06:51:31 +02:00
|
|
|
}
|
2021-06-27 08:02:38 +02:00
|
|
|
.map_ok(|res| res.map_body(|_, body| AnyBody::from_message(body)))
|
2020-10-19 06:51:31 +02:00
|
|
|
.boxed_local();
|
|
|
|
|
|
|
|
Either::Right(res)
|
2020-10-08 12:50:56 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-10-19 06:51:31 +02:00
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
mod tests {
|
|
|
|
use actix_web::{
|
|
|
|
dev::Transform,
|
|
|
|
test::{self, TestRequest},
|
|
|
|
};
|
|
|
|
|
|
|
|
use super::*;
|
|
|
|
use crate::Cors;
|
|
|
|
|
|
|
|
#[actix_rt::test]
|
|
|
|
async fn test_options_no_origin() {
|
|
|
|
// Tests case where allowed_origins is All but there are validate functions to run incase.
|
|
|
|
// In this case, origins are only allowed when the DNT header is sent.
|
|
|
|
|
2021-03-21 23:50:26 +01:00
|
|
|
let cors = Cors::default()
|
2020-10-19 06:51:31 +02:00
|
|
|
.allow_any_origin()
|
2020-10-19 20:30:46 +02:00
|
|
|
.allowed_origin_fn(|origin, req_head| {
|
|
|
|
assert_eq!(&origin, req_head.headers.get(header::ORIGIN).unwrap());
|
|
|
|
|
|
|
|
req_head.headers().contains_key(header::DNT)
|
|
|
|
})
|
2020-10-19 06:51:31 +02:00
|
|
|
.new_transform(test::ok_service())
|
|
|
|
.await
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
let req = TestRequest::get()
|
2021-03-21 23:50:26 +01:00
|
|
|
.insert_header((header::ORIGIN, "http://example.com"))
|
2020-10-19 06:51:31 +02:00
|
|
|
.to_srv_request();
|
|
|
|
let res = cors.call(req).await.unwrap();
|
|
|
|
assert_eq!(
|
|
|
|
None,
|
|
|
|
res.headers()
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
.map(HeaderValue::as_bytes)
|
|
|
|
);
|
|
|
|
|
|
|
|
let req = TestRequest::get()
|
2021-03-21 23:50:26 +01:00
|
|
|
.insert_header((header::ORIGIN, "http://example.com"))
|
|
|
|
.insert_header((header::DNT, "1"))
|
2020-10-19 06:51:31 +02:00
|
|
|
.to_srv_request();
|
|
|
|
let res = cors.call(req).await.unwrap();
|
|
|
|
assert_eq!(
|
|
|
|
Some(&b"http://example.com"[..]),
|
|
|
|
res.headers()
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
.map(HeaderValue::as_bytes)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|