Allow cred/authorization header CORS #101
Conversation
config.go
Outdated
| // results in the HTTP header "AllowOrigins". | ||
| // | ||
| // Added in v5.0.0. | ||
| AllowOrigins string |
There was a problem hiding this comment.
I think this should be a slice of strings. While the header only can include 1 value, IIRC Gin will check the Origin header from the request and use the appropriate origin in the response header.
While we probably won't need more than 1, it's good to have the option available, especially since it's such an easy change but hard to change later as it changes the config schema.
Apparently Viper (that we're using for the configs) supports slices by separating elements via a comma.
(https://github.com/spf13/viper/blob/v1.7.1/viper.go#L920)
So you can change this to []string and then add something like this to the godoc:
Multiple origins can be supplied via environment variables by separating them by commas. YAML configuration is expected to use a regular array of strings.
main.go
Outdated
| @@ -110,7 +110,14 @@ func main() { | |||
| ginutil.RecoverProblem, | |||
| ) | |||
|
|
|||
| if config.HTTP.CORS.AllowAllOrigins { | |||
| if len(config.HTTP.CORS.AllowOrigins) > 0 { | |||
| log.Info().Message("Allowing " + config.HTTP.CORS.AllowOrigins + " origins in CORS.") | |||
There was a problem hiding this comment.
nit: A rule of thumb I've used for logs is to not have anything varying in the message.
Suggest moving the config value here to a WithString call. For example:
| log.Info().Message("Allowing " + config.HTTP.CORS.AllowOrigins + " origins in CORS.") | |
| log.Info().WithString("origin", config.HTTP.CORS.AllowOrigins). | |
| Message("Allowing origins in CORS.") |
But if you're changing to a string slice, then perhaps just something like this:
| log.Info().Message("Allowing " + config.HTTP.CORS.AllowOrigins + " origins in CORS.") | |
| log.Info().WithStringf("origin", "%v", config.HTTP.CORS.AllowOrigins). | |
| Message("Allowing origins in CORS.") |
^ would resolve to something like origins=`[http://localhost:5001 http://localhost:4200]` in the console output for multiple values
Otherwise a more custom solution:
| log.Info().Message("Allowing " + config.HTTP.CORS.AllowOrigins + " origins in CORS.") | |
| log.Info().WithString("origin", strings.Join(config.HTTP.CORS.AllowOrigins, " ")). | |
| Message("Allowing origins in CORS.") |
^ would resolve to something like origins=`http://localhost:5001 http://localhost:4200` in the console output for multiple values
fredx30
force-pushed
the
feature/cors-credentials-allow-origin-specific
branch
from
3dea685
to
49fb077
Compare
applejag
force-pushed
the
feature/cors-credentials-allow-origin-specific
branch
from
b5ca077
to
ed95856
Compare
Co-authored-by: kalle (jag) <kalle.jillheden@iver.se>
fredx30
force-pushed
the
feature/cors-credentials-allow-origin-specific
branch
from
ed95856
to
25e4e8b
Compare
CHANGELOG.mdfile, according to docs:https://iver-wharf.github.io/#/development/changelogs/writing-changelogs
Summary
This adds a environment variable that allows setting a cors allowed origin. When this is set Authrization Bearer tokens will also be allowed to be sent. This overrides the allow all origins header. When sending credentials allow all origins is not allowed.
Motivation
When sending credentials allow all origins is not allowed. The way the OICD login is set to work credentials need to be sent and will use the
authorizationheader.