Fixed CORS origin handling.

ShogunPanda-archive · Jun 14, 2016 · a67b271 · a67b271
1 parent 3ce7a09
commit a67b271
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+### 2016-06-14 / 1.0.1
+
+* Try to use the Origin request header first in CORS handling.
+
 ### 2016-06-04 / 1.0.0
 
 * Initial version.
diff --git a/lib/apes/concerns/request.rb b/lib/apes/concerns/request.rb
@@ -12,9 +12,7 @@ module Request
 
       # Sets headers for CORS handling.
       def request_handle_cors
-        cors_source = Apes::RuntimeConfiguration.development? ? "http://#{request_source_host}:4200" : Apes::RuntimeConfiguration.cors_source
-
-        headers["Access-Control-Allow-Origin"] = cors_source
+        headers["Access-Control-Allow-Origin"] = request.headers["Origin"] || Apes::RuntimeConfiguration.cors_source
         headers["Access-Control-Allow-Methods"] = "POST, GET, PUT, DELETE, OPTIONS"
         headers["Access-Control-Allow-Headers"] = "Content-Type, X-User-Email, X-User-Token"
         headers["Access-Control-Max-Age"] = 1.year.to_i.to_s

diff --git a/lib/apes/runtime_configuration.rb b/lib/apes/runtime_configuration.rb
@@ -56,7 +56,7 @@ def jwt_token(default = "secret")
       #
       # @param default [String] The fallback if no valid CORS source is found in Rails secrets file.
       # @return [String] The CORS source used by Apes.
-      def cors_source(default = "localhost")
+      def cors_source(default = "http://localhost")
         fetch_with_fallback(default) { Rails.application.secrets.cors_source }
       end
 

diff --git a/lib/apes/version.rb b/lib/apes/version.rb
@@ -16,7 +16,7 @@ module Version
     MINOR = 0
 
     # The patch version.
-    PATCH = 0
+    PATCH = 1
 
     # The current version of apes.
     STRING = [MAJOR, MINOR, PATCH].compact.join(".")

diff --git a/spec/apes/concerns/request_spec.rb b/spec/apes/concerns/request_spec.rb
@@ -44,13 +44,27 @@ def self.column_types
 
   describe "#request_handle_cors" do
     it "should set the right headers" do
+      allow(subject.request).to receive(:headers).and_return({})
+      allow(subject).to receive(:request_source_host).and_return("FOO")
+
+      subject.request_handle_cors
+      expect(subject.headers).to eq({
+        "Access-Control-Allow-Headers" => "Content-Type, X-User-Email, X-User-Token",
+        "Access-Control-Allow-Methods" => "POST, GET, PUT, DELETE, OPTIONS",
+        "Access-Control-Allow-Origin" => "http://localhost",
+        "Access-Control-Max-Age" => "31557600"
+      })
+    end
+
+    it "should use the Origin request header when appropriate" do
+      allow(subject.request).to receive(:headers).and_return({"Origin" => "http://whatever.com:123"})
       allow(subject).to receive(:request_source_host).and_return("FOO")
 
       subject.request_handle_cors
       expect(subject.headers).to eq({
         "Access-Control-Allow-Headers" => "Content-Type, X-User-Email, X-User-Token",
         "Access-Control-Allow-Methods" => "POST, GET, PUT, DELETE, OPTIONS",
-        "Access-Control-Allow-Origin" => "http://FOO:4200",
+        "Access-Control-Allow-Origin" => "http://whatever.com:123",
         "Access-Control-Max-Age" => "31557600"
       })
     end

diff --git a/spec/apes/runtime_configuration_spec.rb b/spec/apes/runtime_configuration_spec.rb
@@ -81,7 +81,7 @@
     end
 
     it "should fallback to a default" do
-      expect(Apes::RuntimeConfiguration.cors_source).to eq("localhost")
+      expect(Apes::RuntimeConfiguration.cors_source).to eq("http://localhost")
       expect(Apes::RuntimeConfiguration.cors_source("DEFAULT")).to eq("DEFAULT")
     end
   end