bug: make actix-cors more permissive (#929)

* bug: make actix-cors more permissive Closes: #928
mozilla-services · Nov 20, 2020 · 1a7e817 · 1a7e817
1 parent 37b2788
commit 1a7e817
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 11 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -68,7 +68,7 @@ slog-mozlog-json = "0.1"
 slog-scope = "4.3"
 slog-stdlog = "4.1"
 slog-term = "2.6"
-time = "0.2"
+time = "^0.2.23"
 tokio = { version = "0.2", features = ["macros"] }
 url = "2.1"
 urlencoding = "1.1"

diff --git a/src/db/spanner/models.rs b/src/db/spanner/models.rs
@@ -571,7 +571,7 @@ impl SpannerDb {
             .execute_async(&self.conn)?
             .one_or_none()
             .await?
-            .ok_or_else(|| DbErrorKind::CollectionNotFound)?;
+            .ok_or(DbErrorKind::CollectionNotFound)?;
         let modified = SyncTimestamp::from_rfc3339(&result[0].get_string_value())?;
         Ok(modified)
     }

diff --git a/src/server/metrics.rs b/src/server/metrics.rs
@@ -58,7 +58,7 @@ impl From<&HttpRequest> for Metrics {
     fn from(req: &HttpRequest) -> Self {
         let exts = req.extensions();
         let def_tags = Tags::from_request_head(req.head());
-        let tags = exts.get::<Tags>().unwrap_or_else(|| &def_tags);
+        let tags = exts.get::<Tags>().unwrap_or(&def_tags);
         Metrics {
             client: match req.app_data::<Data<ServerState>>() {
                 Some(v) => Some(*v.metrics.clone()),

diff --git a/src/server/mod.rs b/src/server/mod.rs
@@ -79,7 +79,11 @@ macro_rules! build_app {
             .wrap(middleware::sentry::SentryWrapper::default())
             .wrap(middleware::rejectua::RejectUA::default())
             // Followed by the "official middleware" so they run first.
-            .wrap(Cors::default())
+            // actix is getting increasingly tighter about CORS headers. Our server is
+            // not a huge risk but does deliver XHR JSON content.
+            // For now, let's be permissive and use NGINX (the wrapping server)
+            // for finer grained specification.
+            .wrap(Cors::permissive())
             .service(
                 web::resource(&cfg_path("/info/collections"))
                     .route(web::get().to(handlers::get_collections)),

diff --git a/src/web/tokenserver.rs b/src/web/tokenserver.rs
@@ -226,7 +226,7 @@ def hash_device_id(fxa_uid, device, secret):
 
         let fxa_kid = format!(
             "{:013}-{:}",
-            user_record[0].keys_changed_at.unwrap_or_else(|| 0),
+            user_record[0].keys_changed_at.unwrap_or(0),
             client_state_b64
         );
         let thedict = [