-
Notifications
You must be signed in to change notification settings - Fork 896
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a way to specify a regex for allowed origins #4963
Comments
Please assign this to me ~ 🥺 |
It's all yours. Thanks! 😆 |
@minwoox Thank you for assigning the issue to me 😄 . I have a question about the issue. It seems that armeria allow users to configure CORS in below ways:
Should we provide features that allow users to configure origins using regex by adding additional field such as |
We are specifying the origin when we create the builder so I prefer to specify the regex when creating a builder: CorsService.builderForRegex("^https:\\/\\/.*example.com$")
.allowRequestMethods(HttpMethod.POST, HttpMethod.GET)
.andForOriginRegex("^https:\\/\\/.*example2.com$")
.allowRequestMethods(HttpMethod.GET)
.and()
.newDecorator()));
// Use Pattern
Pattern regex = ...
CorsService.builderForRegex(regex)
.allowRequestMethods(HttpMethod.POST, HttpMethod.GET)
... We can also specify the regex string to @CorsDecorator(
originRegex = "^https:\\/\\/.*example.com$",
pathPatterns = "glob:/**/configured",
allowedRequestMethods = HttpMethod.GET
) We can also add a predicate for the builder only. (Not for the annotation) Predicate predicate = ...
CorsService.builder(predicate)
.allowRequestMethods(HttpMethod.POST, HttpMethod.GET) |
Thank you for your detailed comment. I want to make sure that I understand what features are needed 😄 .
|
Yes, exactly. 😄 We also need to add those methods to class CorsService {
public static CorsServiceBuilder builder(Predicate<String> predicate) {...}
// Need to consider a better name.
public static CorsServiceBuilder builderForOriginRegex(String regex) {...}
public static CorsServiceBuilder builderForOriginRegex(Pattern regex) {...}
}
class CorsServiceBuilder {
CorsServiceBuilder(Predicate<String> predicate) {...}
CorsServiceBuilder(Pattern regex) {...}
public ChainedCorsPolicyBuilder andForOriginRegex(String regex) {...}
public ChainedCorsPolicyBuilder andForOriginRegex(Pattern regex) {...}
}
class CorsPolicy {
public static CorsPolicyBuilder builder(Predicate<String> predicate) {...}
public static CorsPolicyBuilder builderForOriginRegex(String regex) {...}
public static CorsPolicyBuilder builderForOriginRegex(Pattern regex) {...}
}
class CorsPolicyBuilder {
CorsPolicyBuilder(Predicate<String> predicate) {...}
CorsPolicyBuilder(Pattern regex) {...}
}
public @interface CorsDecorator {
String[] origins();
String originRegex(); // We could probably raise an exception if both origins and originRegex are specified.
...
} We also need to make class WebSocketServiceBuilder {
public WebSocketServiceBuilder allowedOrigins(Predicate<String> predicate) {...}
} |
Hi @minwoox , thank you for the super detailed and wonderful explanation. I wonder what policy we should take.
Based on the comment you wrote in below code, it seems that we might not want users to specify both public @interface CorsDecorator {
String[] origins();
String originRegex(); // We could probably raise an exception if both origins and originRegex are specified.
...
} |
This is what I'm saying. |
… for CORS allowed origins (#4982) Motivation: Allow users to specify CORS allowed origins by regular expression or `Predicate<String>` Modifications: Users can specify allowed origins by using regular expression or `Predicate<String>` like below. <b>CorsDecorator</b> ``` @CorsDecorator( originRegex = "http://example.*", allowedRequestMethods = HttpMethod.GET ) ``` <b>`CorsService`'s `builderForOriginRegex` or `builder(Predicate<String> originPredicate)`</b> ``` sb.service("/cors15", myService.decorate( CorsService.builderForOriginRegex("http://example.*") .allowRequestMethods(HttpMethod.GET) .newDecorator())); sb.service("/cors17", myService.decorate( CorsService.builder(origin -> origin.contains("example") || origin.contains("line")) .allowRequestMethods(HttpMethod.GET) .newDecorator())); ``` or per route ``` sb.annotatedService("/cors18", new Object() { @get("/index1") public void index1() {} @post("/index2") public void index2() {} @delete("/index3") public void index3() {} }, CorsService.builder() .andForOriginRegex("http://example.*") .route("/cors18/index1") .allowRequestMethods(HttpMethod.GET) .and() .andForOriginRegex(Pattern.compile(".*line.*")) .route("/cors18/index2") .allowRequestMethods(HttpMethod.POST) .and() .andForOrigin((origin) -> origin.contains("armeria")) .route("/cors18/index3") .allowRequestMethods(HttpMethod.DELETE) .and() .newDecorator() ``` <b>`WebSocketServiceBuilder`'s `allowedOrigins(Predicate<String> originPredicate>`</b> ``` sb.route() .path("/chat") .build(WebSocketService.builder(new CustomWebSocketServiceHandler()) .allowedOrigins(origin -> origin.contains("armeria")) .build()); ``` Result: - Closes #<#4963>. (If this resolves the issue.) - Users can use regular expression or `Predicate<String>` to specify allowed origins --------- Co-authored-by: minwoox <songmw725@gmail.com> Co-authored-by: Ikhun Um <ih.pert@gmail.com>
closed by #4982 |
Currently, we use the exact match for the allowed origin:
armeria/core/src/main/java/com/linecorp/armeria/server/cors/CorsConfig.java
Line 108 in 5b384fb
This can be a problem if there are tremendous subdomains that are frequently changed because users cannot specify all of them.
The text was updated successfully, but these errors were encountered: