-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: fix(cors) allow pre-flight requests to options / trace / connect endpoints #4899
Conversation
|
👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the patch! Would you also contribute test cases for this fix please?
sure, just waiting for the design approval (some sort of message or anything), that means the team understands and welcomes those changes and possible implications ( i believe, existing cients can be affected) |
@eshepelyuk Yes, the chosen approach is fine. |
@thibaultcha should I rebase on master or on particular release branch ? |
@eshepelyuk We are currently in feature freeze with the upcoming 1.3.0 release (next Wednesday), but given this is a fix (and rather minimal), we could still ship it by then if it is ready (no rush, if not on Wednesday, it will ship next time around) cc @Kong/team-core. We always submit fixes against master (as per our contribution guidelines), so better rebase the PR against it. The patch would apply cleanly in either branch anyway. Thanks for taking care of it! Truly appreciated, this is a nice fix. |
@@ -0,0 +1,3 @@ | |||
return { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@eshepelyuk A minor concern about this PR: the api.lua
module name has a special meaning in plugins (it is used to specify customization to the generated Admin API endpoints). Please rename this module to something else to avoid namespace clashes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact, better not introduce such a new module at all. I understand that the intent is to not duplicate the list between the plugin's code and tests, but we actually would rather duplicate it. This avoids accidental changes to the list going unnoticed (since they need to be updated in the tests and in the code). This is a pattern that this codebase has been following for a long time now.
@eshepelyuk Left a minor change request, otherwise i think this PR is good to go! |
@@ -181,7 +181,9 @@ end | |||
|
|||
|
|||
function CorsHandler:access(conf) | |||
if kong.request.get_method() ~= "OPTIONS" then | |||
if not (kong.request.get_method() == "OPTIONS" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
style: please remove the extra set of parenthesis around this expression. They are not necessary.
@@ -0,0 +1,3 @@ | |||
return { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact, better not introduce such a new module at all. I understand that the intent is to not duplicate the list between the plugin's code and tests, but we actually would rather duplicate it. This avoids accidental changes to the list going unnoticed (since they need to be updated in the tests and in the code). This is a pattern that this codebase has been following for a long time now.
@@ -212,7 +214,6 @@ function CorsHandler:access(conf) | |||
end | |||
|
|||
local methods = conf.methods and concat(conf.methods, ",") | |||
or "GET,HEAD,PUT,PATCH,POST,DELETE" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do not remove the fallback here (it doesn't seem like config.methods
is properly labelled as being required). And if it is, then we'd need to update the above assignment conditions anyway. But better stay safe here, we are shipping this patch as a fix without an RC cycle, let's not forget.
assert.is_nil(res.headers["Access-Control-Max-Age"]) | ||
assert.is_nil(res.headers["Vary"]) | ||
end) | ||
-- TODO rewrite test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is going to be a blocker. Can you rewrite the test, if it needs to? And if not, can you elaborate on what the issue is? Nonetheless, we cannot just disable a regression test just before shipping a major release.
["Access-Control-Request-Headers"] = "origin,accepts", | ||
["Access-Control-Request-Method"] = "GET", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you mind pointing us to the test that asserts the behavior fixed by this PR (i.e. that non-preflight OPTIONS
requests get properly proxied after a preflight request)?
end) | ||
end) | ||
end) | ||
|
||
describe("methods in cors schema", function() | ||
for _,method in ipairs({"HEAD", "GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "TRACE", "CONNECT"}) do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
style: missing a space after ,
and in the table definition ({ "HEAD", ... }
).
Manually merged with the appropriate tweaks. Thank you! |
Guys ! What are you doing ? The PR is not completed and i am working on tests :((( |
@eshepelyuk Don't worry! :) We really wanted your fix to go into 1.3.0 which is due to release today, so we took it to ourselves to make the final tweaks and get it merged. So this is marked as "closed" but it was really accepted — it's already live in the Thank you for contributing! (Also, could you sign the CLA at https://cla-assistant.io/Kong/kong?pullRequest=4899 ? Thank you!) |
@eshepelyuk Also, you need to sign the CLA using the account that owns the email that's in the commit: eshepelyuknewagesol — thanks! |
@hishamhm I tried it dozen of times and although I was told that SLA was signed - it's still pending :( |
@eshepelyuk I think the problem might be that you used two different Github accounts? Perhaps try logging in a private browser window, log into Github with the other account and then access https://cla-assistant.io/Kong/kong?pullRequest=4899 — let's hope this works! |
Summary
Fix cors plugin configuration and behavior for processing pre-flight requests to OPTIONS / TRACE / CONNECT endpoints
Full changelog
Issues resolved
Fix #4898