From 7c3c9357e0405af1c6f59a19a377f7c390ddd5b6 Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Sun, 7 Aug 2022 21:56:33 +0200 Subject: [PATCH] fix expose all headers (#273) * fix expose all headers * update changelog --- actix-cors/CHANGES.md | 3 +++ actix-cors/src/builder.rs | 2 +- actix-cors/src/middleware.rs | 3 +-- actix-cors/tests/tests.rs | 25 +++++++++++++++---------- actix-limitation/CHANGES.md | 2 +- 5 files changed, 21 insertions(+), 14 deletions(-) diff --git a/actix-cors/CHANGES.md b/actix-cors/CHANGES.md index 108c65de1..02af31e98 100644 --- a/actix-cors/CHANGES.md +++ b/actix-cors/CHANGES.md @@ -1,8 +1,11 @@ # Changes ## Unreleased - 2022-xx-xx +- Fix `expose_any_header` to return list of response headers. [#273] - Minimum supported Rust version (MSRV) is now 1.57 due to transitive `time` dependency. +[#273]: https://github.com/actix/actix-extras/pull/273 + ## 0.6.1 - 2022-03-07 - Do not consider requests without a `Access-Control-Request-Method` as preflight. [#226] diff --git a/actix-cors/src/builder.rs b/actix-cors/src/builder.rs index b6c50c1c4..804a0b253 100644 --- a/actix-cors/src/builder.rs +++ b/actix-cors/src/builder.rs @@ -315,7 +315,7 @@ impl Cors { self } - /// Resets exposed response header list to a state where any header is accepted. + /// Resets exposed response header list to a state where all headers are exposed. /// /// See [`Cors::expose_headers`] for more info on exposed response headers. pub fn expose_any_header(mut self) -> Cors { diff --git a/actix-cors/src/middleware.rs b/actix-cors/src/middleware.rs index c65e9ee6f..fb7b487bf 100644 --- a/actix-cors/src/middleware.rs +++ b/actix-cors/src/middleware.rs @@ -121,10 +121,9 @@ impl CorsMiddleware { .insert(header::ACCESS_CONTROL_EXPOSE_HEADERS, expose.clone()); } else if matches!(inner.expose_headers, AllOrSome::All) { // intersperse_header_values requires that argument is non-empty - if !res.request().headers().is_empty() { + if !res.headers().is_empty() { // extract header names from request let expose_all_request_headers = res - .request() .headers() .keys() .into_iter() diff --git a/actix-cors/tests/tests.rs b/actix-cors/tests/tests.rs index 7b6075c14..b0ff02b91 100644 --- a/actix-cors/tests/tests.rs +++ b/actix-cors/tests/tests.rs @@ -501,7 +501,15 @@ async fn test_allow_any_origin_any_method_any_header() { #[actix_web::test] async fn expose_all_request_header_values() { let cors = Cors::permissive() - .new_transform(test::ok_service()) + .new_transform(fn_service(|req: ServiceRequest| async move { + let res = req.into_response( + HttpResponse::Ok() + .insert_header((header::CONTENT_DISPOSITION, "test disposition")) + .finish(), + ); + + Ok(res) + })) .await .unwrap(); @@ -509,20 +517,17 @@ async fn expose_all_request_header_values() { .insert_header((header::ORIGIN, "https://www.example.com")) .insert_header((header::ACCESS_CONTROL_REQUEST_METHOD, "POST")) .insert_header((header::ACCESS_CONTROL_REQUEST_HEADERS, "content-type")) - .insert_header(("X-XSRF-TOKEN", "xsrf-token")) .to_srv_request(); - let resp = test::call_service(&cors, req).await; + let res = test::call_service(&cors, req).await; - assert!(resp - .headers() - .contains_key(header::ACCESS_CONTROL_EXPOSE_HEADERS)); - - assert!(resp + let cd_hdr = res .headers() .get(header::ACCESS_CONTROL_EXPOSE_HEADERS) .unwrap() .to_str() - .unwrap() - .contains("xsrf-token")); + .unwrap(); + + assert!(cd_hdr.contains("content-disposition")); + assert!(cd_hdr.contains("access-control-allow-origin")); } diff --git a/actix-limitation/CHANGES.md b/actix-limitation/CHANGES.md index 819c496cc..573b09032 100644 --- a/actix-limitation/CHANGES.md +++ b/actix-limitation/CHANGES.md @@ -2,7 +2,7 @@ ## Unreleased - 2022-xx-xx - Implement `Default` for `RateLimiter`. -- `RateLimiter` can no longer be constructed without `::default()`. +- `RateLimiter` is marked `#[non_exhaustive]`; use `RateLimiter::default()` instead. ## 0.3.0 - 2022-07-11 - `Limiter::builder` now takes an `impl Into`.