OAuth2 App enabled with CORS fix

[noveens]

Description

I removed the beforeController logic here due to the change of handling CORS since PR #28457

According to previous implementation, CORS was only allowed with methods that had @PublicPage notation for preventing CSRF attacks.
But in the latest PR by me, the current implementations is as follows:

• maintain a white-list of domains for whom CORS is enabled
• This list can be viewed and edited under settings -> personal -> security

This implementation removes the need for @PublicPage.

Related Issue

#28860

How Has This Been Tested?

Tested by @SamuAlfageme
More testing required since I can't reproduce the issue.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

@PVince81 @jesmrec @SamuAlfageme @Peter-Prochaska

[jesmrec]

👍

[PVince81]

@noveens also we made CORS allowed by default for all OCS endpoints.

[PVince81]

👍

[PVince81]

@noveens please add this one to your backport PR

[PVince81]

Jenkins slapped

[noveens]

@PVince81 ,

can you restart travis?

[phil-davis]

For Travis, you can click the "Details" link, select the job(s) that had a problem and press "restart".
I did that just now - there was only 1 job that had some dodgy error. It should pass when it gets run in the Travis queue.
and its happy now

[DeepDiver1975]

Are we fully droping the CORS annotation?
It is used by apps - e.g. https://github.com/owncloud/music/blob/735f7509a94048b38600d5a0995f6eabdfffb568/controller/settingcontroller.php#L96

Please verify that this is still working - and dev docs need to be updated

[DeepDiver1975]

also in notes app - https://github.com/owncloud/notes/blob/c4726b85f06f56299e78217d085f075101d23994/controller/notesapicontroller.php#L87

[PVince81]

@noveens please verify.

I suspect that even if the annotation is set, it will not break as CORS is enabled by default. Better check though to avoid surprises.

[noveens]

@DeepDiver1975 @PVince81 ,

We are not dropping the @CORS notation, In fact it is being used in the core server as well.
We are integrating the @CORS notation with the domain whitelisting management.

Like all the methods with @CORS would not have CORS for all domains but only the ones which have been whitelisted by the user.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.