Merge pull request #3571 from alphagov/cors-autocomplete

Add CORS configuration for autocomplete API
alphagov · Dec 12, 2024 · 6abdcb0 · 6abdcb0
2 parents 46d4803 + cf3002f
commit 6abdcb0
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 1 deletion.
diff --git a/Gemfile b/Gemfile
@@ -13,6 +13,7 @@ gem "govuk_ab_testing"
 gem "govuk_app_config"
 gem "govuk_publishing_components"
 gem "govuk_web_banners"
+gem "rack-cors"
 gem "rest-client"
 gem "slimmer"
 gem "sprockets-rails"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -498,6 +498,8 @@ GEM
       nio4r (~> 2.0)
     racc (1.8.1)
     rack (3.1.8)
+    rack-cors (2.0.2)
+      rack (>= 2.0.0)
     rack-proxy (0.7.7)
       rack
     rack-session (2.0.0)
@@ -695,6 +697,7 @@ DEPENDENCIES
   launchy
   listen
   pry-byebug
+  rack-cors
   rails (= 7.2.2)
   rails-controller-testing
   rest-client

diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
@@ -0,0 +1,15 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  # Allow the autocomplete API to be accessed from any GOV.UK domain, including
+  # non-production ones. This enables autocomplete on CSV preview GOV.UK pages,
+  # which are hosted on assets.publishing.service.gov.uk.
+  # This also allows for local development usage.
+  allow do
+    origins %r{(www|dev|publishing\.service)\.gov\.uk\z}
+
+    resource "/api/search/autocomplete*",
+             headers: :any,
+             methods: %i[get]
+  end
+end
diff --git a/spec/requests/api/autocomplete_spec.rb b/spec/requests/api/autocomplete_spec.rb
@@ -5,13 +5,14 @@
 
   let(:suggestions) { %w[blue grey red] }
   let(:autocomplete_response) { instance_double(GdsApi::Response, to_hash: { suggestions: }) }
+  let(:params) { { q: "loving him was" } }
 
   before do
     allow(Services).to receive(:search_api_v2).and_return(search_api_v2)
   end
 
   it "returns suggestions from Search API v2" do
-    get "/api/search/autocomplete?q=loving+him+was"
+    get "/api/search/autocomplete", params: params
 
     expect(search_api_v2).to have_received(:autocomplete).with("loving him was")
     expect(response).to be_successful
@@ -23,4 +24,31 @@
 
     expect(response).to have_http_status(:bad_request)
   end
+
+  describe "CORS headers" do
+    %w[https://www.gov.uk http://example.dev.gov.uk https://example.publishing.service.gov.uk].each do |allowed_host|
+      it "returns CORS headers for #{allowed_host}" do
+        get "/api/search/autocomplete", params:, headers: { Origin: allowed_host }
+
+        expect(response.headers.to_h).to include({
+          "access-control-allow-origin" => allowed_host,
+          "access-control-allow-methods" => "GET",
+        })
+      end
+    end
+
+    it "returns CORS headers when there is a format extension on the path" do
+      get "/api/search/autocomplete.json", params:, headers: { Origin: "https://www.gov.uk" }
+
+      expect(response.headers)
+        .to include("access-control-allow-origin", "access-control-allow-methods")
+    end
+
+    it "doesn't return CORS headers for an unsupported hosts" do
+      get "/api/search/autocomplete", params:, headers: { Origin: "https://www.gov.uk.non-govuk.com" }
+
+      expect(response.headers)
+        .not_to include("access-control-allow-origin", "access-control-allow-methods")
+    end
+  end
 end