cors origin validator function receives origin as first parameter (#120)

actix-cors/src/builder.rs

@@ -13,7 +13,9 @@ use tinyvec::tiny_vec;
 
 use crate::{AllOrSome, CorsError, CorsMiddleware, Inner, OriginFn};
 
-pub(crate) fn cors<'a>(
+/// Convenience for getting mut refs to inner. Cleaner than `Rc::get_mut`.
+/// Additionally, always causes first error (if any) to be reported during initialization.
+fn cors<'a>(
     inner: &'a mut Rc<Inner>,
     err: &Option<Either<http::Error, CorsError>>,
 ) -> Option<&'a mut Inner> {
@@ -178,7 +180,7 @@ impl Cors {
     /// into the `Access-Control-Allow-Origin` response header.
     pub fn allowed_origin_fn<F>(mut self, f: F) -> Cors
     where
-        F: (Fn(&RequestHead) -> bool) + 'static,
+        F: (Fn(&HeaderValue, &RequestHead) -> bool) + 'static,
     {
         if let Some(cors) = cors(&mut self.inner, &self.error) {
             cors.allowed_origins_fns.push(OriginFn {

actix-cors/src/inner.rs

@@ -15,13 +15,13 @@ use crate::{AllOrSome, CorsError};
 
 #[derive(Clone)]
 pub(crate) struct OriginFn {
-    pub(crate) boxed_fn: Rc<dyn Fn(&RequestHead) -> bool>,
+    pub(crate) boxed_fn: Rc<dyn Fn(&HeaderValue, &RequestHead) -> bool>,
 }
 
 impl Default for OriginFn {
     /// Dummy default for use in tiny_vec. Do not use.
     fn default() -> Self {
-        let boxed_fn: Rc<dyn Fn(&_) -> _> = Rc::new(|_req_head| false);
+        let boxed_fn: Rc<dyn Fn(&_, &_) -> _> = Rc::new(|_origin, _req_head| false);
         Self { boxed_fn }
     }
 }
@@ -78,7 +78,9 @@ impl Inner {
         match req.headers().get(header::ORIGIN) {
             // origin header exists and is a string
             Some(origin) => {
-                if allowed_origins.contains(origin) || self.validate_origin_fns(req) {
+                if allowed_origins.contains(origin)
+                    || self.validate_origin_fns(origin, req)
+                {
                     Ok(())
                 } else {
                     Err(CorsError::OriginNotAllowed)
@@ -92,11 +94,11 @@ impl Inner {
         }
     }
 
-    /// Accepts origin if _ANY_ functions return true.
-    pub(crate) fn validate_origin_fns(&self, req: &RequestHead) -> bool {
+    /// Accepts origin if _ANY_ functions return true. Only called when Origin exists.
+    fn validate_origin_fns(&self, origin: &HeaderValue, req: &RequestHead) -> bool {
         self.allowed_origins_fns
             .iter()
-            .any(|origin_fn| (origin_fn.boxed_fn)(req))
+            .any(|origin_fn| (origin_fn.boxed_fn)(origin, req))
     }
 
     /// Only called if origin exists and always after it's validated.

actix-cors/src/lib.rs

@@ -21,12 +21,8 @@
 //!     HttpServer::new(|| {
 //!         let cors = Cors::default()
 //!               .allowed_origin("https://www.rust-lang.org/")
-//!               .allowed_origin_fn(|req| {
-//!                   req.headers
-//!                       .get(http::header::ORIGIN)
-//!                       .map(http::HeaderValue::as_bytes)
-//!                       .filter(|b| b.ends_with(b".rust-lang.org"))
-//!                       .is_some()
+//!               .allowed_origin_fn(|origin, _req_head| {
+//!                   origin.as_bytes().ends_with(b".rust-lang.org")
 //!               })
 //!               .allowed_methods(vec!["GET", "POST"])
 //!               .allowed_headers(vec![http::header::AUTHORIZATION, http::header::ACCEPT])

actix-cors/src/middleware.rs

@@ -189,7 +189,11 @@ mod tests {
 
         let mut cors = Cors::default()
             .allow_any_origin()
-            .allowed_origin_fn(|req_head| req_head.headers().contains_key(header::DNT))
+            .allowed_origin_fn(|origin, req_head| {
+                assert_eq!(&origin, req_head.headers.get(header::ORIGIN).unwrap());
+
+                req_head.headers().contains_key(header::DNT)
+            })
             .new_transform(test::ok_service())
             .await
             .unwrap();