diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a762de..f0187d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +### 2016-06-14 / 1.0.1 + +* Try to use the Origin request header first in CORS handling. + ### 2016-06-04 / 1.0.0 * Initial version. \ No newline at end of file diff --git a/lib/apes/concerns/request.rb b/lib/apes/concerns/request.rb index 96a0108..b0fb935 100644 --- a/lib/apes/concerns/request.rb +++ b/lib/apes/concerns/request.rb @@ -12,9 +12,7 @@ module Request # Sets headers for CORS handling. def request_handle_cors - cors_source = Apes::RuntimeConfiguration.development? ? "http://#{request_source_host}:4200" : Apes::RuntimeConfiguration.cors_source - - headers["Access-Control-Allow-Origin"] = cors_source + headers["Access-Control-Allow-Origin"] = request.headers["Origin"] || Apes::RuntimeConfiguration.cors_source headers["Access-Control-Allow-Methods"] = "POST, GET, PUT, DELETE, OPTIONS" headers["Access-Control-Allow-Headers"] = "Content-Type, X-User-Email, X-User-Token" headers["Access-Control-Max-Age"] = 1.year.to_i.to_s diff --git a/lib/apes/runtime_configuration.rb b/lib/apes/runtime_configuration.rb index 37a4185..781f1c4 100644 --- a/lib/apes/runtime_configuration.rb +++ b/lib/apes/runtime_configuration.rb @@ -56,7 +56,7 @@ def jwt_token(default = "secret") # # @param default [String] The fallback if no valid CORS source is found in Rails secrets file. # @return [String] The CORS source used by Apes. - def cors_source(default = "localhost") + def cors_source(default = "http://localhost") fetch_with_fallback(default) { Rails.application.secrets.cors_source } end diff --git a/lib/apes/version.rb b/lib/apes/version.rb index bad3030..232d1dd 100644 --- a/lib/apes/version.rb +++ b/lib/apes/version.rb @@ -16,7 +16,7 @@ module Version MINOR = 0 # The patch version. - PATCH = 0 + PATCH = 1 # The current version of apes. STRING = [MAJOR, MINOR, PATCH].compact.join(".") diff --git a/spec/apes/concerns/request_spec.rb b/spec/apes/concerns/request_spec.rb index e8910bf..c270b29 100644 --- a/spec/apes/concerns/request_spec.rb +++ b/spec/apes/concerns/request_spec.rb @@ -44,13 +44,27 @@ def self.column_types describe "#request_handle_cors" do it "should set the right headers" do + allow(subject.request).to receive(:headers).and_return({}) + allow(subject).to receive(:request_source_host).and_return("FOO") + + subject.request_handle_cors + expect(subject.headers).to eq({ + "Access-Control-Allow-Headers" => "Content-Type, X-User-Email, X-User-Token", + "Access-Control-Allow-Methods" => "POST, GET, PUT, DELETE, OPTIONS", + "Access-Control-Allow-Origin" => "http://localhost", + "Access-Control-Max-Age" => "31557600" + }) + end + + it "should use the Origin request header when appropriate" do + allow(subject.request).to receive(:headers).and_return({"Origin" => "http://whatever.com:123"}) allow(subject).to receive(:request_source_host).and_return("FOO") subject.request_handle_cors expect(subject.headers).to eq({ "Access-Control-Allow-Headers" => "Content-Type, X-User-Email, X-User-Token", "Access-Control-Allow-Methods" => "POST, GET, PUT, DELETE, OPTIONS", - "Access-Control-Allow-Origin" => "http://FOO:4200", + "Access-Control-Allow-Origin" => "http://whatever.com:123", "Access-Control-Max-Age" => "31557600" }) end diff --git a/spec/apes/runtime_configuration_spec.rb b/spec/apes/runtime_configuration_spec.rb index 6866b87..9593a86 100644 --- a/spec/apes/runtime_configuration_spec.rb +++ b/spec/apes/runtime_configuration_spec.rb @@ -81,7 +81,7 @@ end it "should fallback to a default" do - expect(Apes::RuntimeConfiguration.cors_source).to eq("localhost") + expect(Apes::RuntimeConfiguration.cors_source).to eq("http://localhost") expect(Apes::RuntimeConfiguration.cors_source("DEFAULT")).to eq("DEFAULT") end end