fix: Fix cors headers

[alexgarel]

• centralize cors headers handling in perl code

• add Access-Control-Allow-Methods correctly

• add tests

• cleaned nginx prod configurations

• make docker nginx more close to production configuration

should fix:

• [Bug] Unable to update product packaging from hunger game #7796
• Clean CORS handling #7901

[teolemon]

Noice 👍

[alexgarel]

I want a validation of @stephanegigandet on this one, as it is a big refactor !

[stephanegigandet]

Looks good to me, but I have not tested it. Maybe wait until January until we merge and deploy this.

[stephanegigandet]

Thanks for adding all the tests. :)

[stephanegigandet]

I think we should move this file to conf/nginx/nginx.conf (which currently seems to contain the default nginx.conf)

[stephanegigandet]

ah I'm confused, this nginx.conf file is only for docker, which does not use the files in sites-available?

[alexgarel]

yes for docker we have a different config than in prod.

So I kept the nginx conf for prod in conf/nginx, while docker simply uses conf/nginx.conf
(a docker nginx instance only serve one application, and obf, opf, etc. are not docker ready yet.)

[stephanegigandet]

Deployed on https://world.openfoodfacts.dev and https://world.pro.openfoodfacts.dev with a few minor changes to add the off:off authentication and change .org to .dev

also removed the const { off } = require("gulp") line

[stephanegigandet]

For some reason, I don't get the access-control-allow-origin: * header for v3 API queries, but I do get it for v2. (same in prod in fact)

$ curl -i -X OPTIONS https://off:off@world.openfoodfacts.dev/api/v3/product/12345678143
HTTP/2 404 
server: nginx/1.10.3
date: Mon, 02 Jan 2023 17:55:09 GMT
content-type: application/json; charset=utf-8
x-frame-options: DENY
x-content-type-options: nosniff
x-download-options: noopen
x-xss-protection: 1; mode=block
x-request-id: cJ90QvVhm9SHiqqk

{"code":"12345678143","errors":[{"field":{"id":"12345678143","value":"12345678143"},"impact":{"id":"failure","lc_name":"Failure","name":"Failure"},"message":{"id":"product_not_found","lc_name":"","name":""}}],"result":{"id":"product_not_found","lc_name":"Product not found","name":"Product not found"},"status":"failure","warnings":[]}

$ curl -i -X OPTIONS https://off:off@world.openfoodfacts.dev/api/v2/product/12345678143
HTTP/2 404 
server: nginx/1.10.3
date: Mon, 02 Jan 2023 17:55:17 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: *
x-frame-options: DENY
x-content-type-options: nosniff
x-download-options: noopen
x-xss-protection: 1; mode=block
x-request-id: kP8kuV7uX2Gq5ZkN

[alexgarel]

@stephanegigandet

For some reason, I don't get the access-control-allow-origin: * header for v3 API queries, but I do get it for v2. (same in prod in fact)

Are you sure you have the right code ? (it's not just a nginx config)

For you should not only have "access-control-allow-origin: *" but also the "Access-Control-Allow-Methods" header.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[stephanegigandet]

I redeployed and tested again, all good!