Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CORS header ('Access-Control-Allow-Origin') to public APIs #327

Merged
merged 1 commit into from
Sep 1, 2020

Conversation

Dar13
Copy link
Contributor

@Dar13 Dar13 commented Jun 21, 2020

This permits external websites to query WriteFreely instances for:

  • Collections
  • Public posts in collections
  • Specific public posts.

Without these changes, websites attempting to use the public API to query collections (such as my site: moor3.xyz, source) will receive CORS errors. @cjeller1592 helped me in the past with a CORS proxy (discussion), but it's time to fix it at the source.

I consider this PR to be more like an RFC, I'm fully open to guidance/critique on how to make these changes acceptable.


  • I have signed the CLA

@thebaer
Copy link
Member

thebaer commented Jun 22, 2020

Thank you for taking this on! I agree we should fix this in the application, and these are probably the most important API endpoints to do this on.

One thing that jumps out at me: as it stands, the header will only be set on successful responses. If an error is returned in any of these funcs, it bubbles up to the Handler.All() middleware and the Access-Control-Allow-Origin header is never set.

So a better place for these additions might be in the Handler.All() method (or a modified version, or a new variation of it), somewhere before this line: https://github.com/writeas/writefreely/blob/5c94d23466dc3e7e1821b845d9d7db9294c48af4/handle.go#L541

Allows all API endpoints using 'AllReader' to be queryable by any
origin.
@Dar13 Dar13 force-pushed the add-cors-headers-public-api branch from b57a4cb to 94bcb91 Compare June 24, 2020 00:35
@Dar13
Copy link
Contributor Author

Dar13 commented Jun 24, 2020

So a better place for these additions might be in the Handler.All() method (or a modified version, or a new variation of it), somewhere before this line

It seems AllReader is a suitable place only GET requests use it currently. Those endpoints are (as best as I can tell) also endpoints that don't require authentication if the instance is public. I've adjusted the patch in this PR accordingly.

For authenticated endpoints I think a more fully-fleshed out approach is needed, such as users choosing which origin(s) are permitted to query/update/post/etc among others.

@thebaer thebaer added this to the 0.13 milestone Jul 23, 2020
@thebaer
Copy link
Member

thebaer commented Sep 1, 2020

Sorry for the delay on this! I agree, the AllReader method is a good place for the header that should cover most basic needs.

Beyond that, we can definitely expand on this with better customization in the future. If you'd like to get that discussion started, please feel free to start a topic on the forum!

Merging now -- thanks again for contributing!

@thebaer thebaer merged commit f75d4cb into writefreely:develop Sep 1, 2020
@Dar13 Dar13 deleted the add-cors-headers-public-api branch September 30, 2020 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants