Panic on wildcard in Cors builder's allowed_origin() (#114)

* Assert allowed origin in Cors builder

* Add panic test for wildcard

* Add changelog entry

* rustfmt

* Apply suggestions from code review

Co-authored-by: Rob Ede <robjtede@icloud.com>

Co-authored-by: Rob Ede <robjtede@icloud.com>

actix-cors/CHANGES.md

@@ -1,6 +1,9 @@
 # Changes
 
 ## Unreleased - 2020-xx-xx
+* Disallow `*` in `Cors::allowed_origin` by panicking. [#114].
+
+[#114]: https://github.com/actix/actix-extras/pull/114
 
 
 ## 0.4.1 - 2020-10-07

actix-cors/src/builder.rs

@@ -115,10 +115,18 @@ impl Cors {
     /// `allowed_origin_fn` function is set, these functions will be used to determinate
     /// allowed origins.
     ///
-    /// Builder panics if supplied origin is not valid uri.
+    /// # Panics
+    ///
+    /// * If supplied origin is not valid uri, or
+    /// * If supplied origin is a wildcard (`*`). [`Cors::send_wildcard`] should be used instead.
     ///
     /// [Fetch Standard]: https://fetch.spec.whatwg.org/#origin-header
     pub fn allowed_origin(mut self, origin: &str) -> Cors {
+        assert!(
+            origin != "*",
+            "Wildcard in `allowed_origin` is not allowed. Use `send_wildcard`."
+        );
+
         if let Some(cors) = cors(&mut self.cors, &self.error) {
             match TryInto::<Uri>::try_into(origin) {
                 Ok(_) => {

actix-cors/tests/tests.rs

@@ -10,6 +10,17 @@ use regex::bytes::Regex;
 
 use actix_cors::Cors;
 
+#[actix_rt::test]
+#[should_panic]
+async fn test_wildcard_origin() {
+    Cors::new()
+        .allowed_origin("*")
+        .finish()
+        .new_transform(test::ok_service())
+        .await
+        .unwrap();
+}
+
 #[actix_rt::test]
 async fn test_not_allowed_origin_fn() {
     let mut cors = Cors::new()