SDI-1659: support for CORS header #1509
Conversation
mgmt/rest/server.go
Outdated
|
|
||
| // Deals with CORS | ||
| c := cors.New(cors.Options{ | ||
| AllowedOrigins: []string{"*"}, |
There was a problem hiding this comment.
I don't think that it's safe to allow unrestricted access from any domain. Is there a possibility to constrain allowed origins - via snapteld configuration maybe?
There was a problem hiding this comment.
@andrzej-k, agreed your concerns. Should we allow localhost for now until we know whoch domains are allowed?
There was a problem hiding this comment.
Configurable with 'localhost' as the default?
There was a problem hiding this comment.
@jcooklin, sounds good. I'll add it as a global option.
mgmt/rest/server.go
Outdated
| // Deals with CORS | ||
| c := cors.New(cors.Options{ | ||
| AllowedOrigins: []string{"*"}, | ||
| AllowedMethods: []string{"GET, POST, DELETE, PUT, PATCH, OPTIONS"}, |
There was a problem hiding this comment.
Not all of the HTTP methods were allowed previously. I believe it would be the safest to keep the list of allowed methods to a necessary minimum.
PATCH - I didn't find it declared for any of REST controllers. Are you sure we need to allow it?
OPTIONS - the same as for PATCH. It's not needed for pre-flight requests. Negroni allows it implicitly only for the purpose of CORS. On the other hand, if it's needed for Snap API, it should be enabled with a flag OptionsPassthrough.
There was a problem hiding this comment.
OPTIONS is needed for preflight. I can remove PATCH for now.
There was a problem hiding this comment.
Yes, you're right - OPTIONS are needed for preflight. But isn't it handled before the actual request? I'm thinking about this: https://github.com/rs/cors/blob/master/cors.go#L189. I guess the actual request handling and method checking takes place later.
There was a problem hiding this comment.
@marcintao, thanks for looking into it. However, Snap has two places to be patched. One place cannot use the lib. I added maxAge to ease your concerns. Please let me know any other suggestions you have.
candysmurf
force-pushed
the
cors
branch
2 times, most recently
from
4abab8f
to
e431cc7
Compare
|
@andrzej-k, @marcintao, @jcooklin, CORS PR is updated. Please review when you have a chance. |
docs/SNAPTELD_CONFIGURATION.md
Outdated
| @@ -192,6 +192,9 @@ restapi: | |||
|
|
|||
| # port sets the port to start the REST API server on. Default is 8181 | |||
| port: 8181 | |||
|
|
|||
| # corsd sets the allowed origins in a comma separated list. It defaults to the same origin if the value is empty. | |||
| corsd: http://127.0.0.1:8080, http://snap.example.io, http://example.com | |||
There was a problem hiding this comment.
- "corsd" sounds cryptic - how about changing to, for example: "allowed_origins"?
- Will it work with https origins? If so, maybe add to the list https example also
mgmt/rest/flags.go
Outdated
| @@ -60,7 +60,11 @@ var ( | |||
| Name: "pprof", | |||
| Usage: "Enables profiling tools", | |||
| } | |||
| flCorsd = cli.StringFlag{ | |||
| Name: "corsd", | |||
There was a problem hiding this comment.
Consider changing to, for example "allowed_origins"
mgmt/rest/server.go
Outdated
| @@ -60,6 +70,7 @@ type Server struct { | |||
| // the following instance variables are used to cleanly shutdown the server | |||
| serverListener net.Listener | |||
| closingChan chan bool | |||
| allowedOrigins map[string]bool | |||
There was a problem hiding this comment.
It doesn't seem that "allowedOrigins" is used to "cleanly shutdown the server" - consider moving new variable before this comment.
There was a problem hiding this comment.
not sure your comment here. It's used in authMiddleware method.
There was a problem hiding this comment.
I'm just saying that "allowedOrigins" variable is added in a section which is described with a comment (3 lines above):
// the following instance variables are used to cleanly shutdown the server
This may be misleading, so I just proposed to move "allowedOrigins" before that comment, i.e. 4 lines up.
mgmt/rest/server_test.go
Outdated
| Convey("Origins match results", func() { | ||
| So(s.allowedOrigins, ShouldResemble, map[string]bool{"http://127.0.0.1:80": true, "http://example.com": true}) | ||
| So(len(o), ShouldEqual, 2) | ||
| }) |
There was a problem hiding this comment.
Consider adding more rainy day scenarios, ie. incorrect origin format, incorrect separator, etc.
mgmt/rest/server.go
Outdated
| for _, o := range os { | ||
| s.allowedOrigins[strings.TrimSpace(o)] = true | ||
| } | ||
| return os |
There was a problem hiding this comment.
Consider adding more validation, for example if origin format is correct, something like:
- httpa://domain.com
- 127.0.0.0.1
- http://?domain.com
- ...
should not pass, and user should be warned early that configuration is not valid.
|
@andrzej-k, thanks for your awesome review. I changed the name, added URL validation and more negative tests as you suggested. Please let me know if anything else. |
candysmurf
force-pushed
the
cors
branch
2 times, most recently
from
3c8774a
to
7ed7e38
Compare
docs/SNAPTELD_CONFIGURATION.md
Outdated
| @@ -195,6 +195,9 @@ restapi: | |||
|
|
|||
| # port sets the port to start the REST API server on. Default is 8181 | |||
| port: 8181 | |||
|
|
|||
| # corsd sets the allowed origins in a comma separated list. It defaults to the same origin if the value is empty. | |||
There was a problem hiding this comment.
"corsd" -> "allowed_origins"
mgmt/rest/server.go
Outdated
| @@ -60,6 +70,7 @@ type Server struct { | |||
| // the following instance variables are used to cleanly shutdown the server | |||
| serverListener net.Listener | |||
| closingChan chan bool | |||
| allowedOrigins map[string]bool | |||
There was a problem hiding this comment.
I'm just saying that "allowedOrigins" variable is added in a section which is described with a comment (3 lines above):
// the following instance variables are used to cleanly shutdown the server
This may be misleading, so I just proposed to move "allowedOrigins" before that comment, i.e. 4 lines up.
|
good catch! Changed. Thanks @andrzej-k! |
|
LGTM |
added global config, tests, docs for cors added url validation, more nagtive tests changed typo and variable localtion
Fixes #998
Summary of changes:
Testing done:
@intelsdi-x/snap-maintainers