GraphQl Cors Support #31484
GraphQl Cors Support #31484
Conversation
|
Hi @G-Arvind. Thank you for your contribution
❗ Automated tests can be triggered manually with an appropriate comment:
You can find more information about the builds here ℹ️ Please run only needed test builds instead of all when developing. Please run all test builds before sending your PR for review. For more details, please, review the Magento Contributor Guide documentation. 🕙 You can find the schedule on the Magento Community Calendar page. 📞 The triage of Pull Requests happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket. 🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel ✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel |
m2-community-project
bot
added
the
Priority: P1
magento-engcom-team
added
Component: GraphQL
|
@magento run all tests |
G-Arvind
force-pushed
the
magento-2-graphql-cors
branch
from
4b0c66d to
89be26c
Compare
|
@magento run all tests |
G-Arvind
force-pushed
the
magento-2-graphql-cors
branch
from
89be26c to
b5bb41f
Compare
|
@magento run all tests |
There was a problem hiding this comment.
@G-Arvind . Thank you for your work.
One suggestion though:
Currently, the integration tests we have for GraphQl are located under this path
dev/tests/integration/testsuite/Magento/ and we should not have them under app/code directory.
For example, if you look one of the integration tests for GraphQl: dev/tests/integration/testsuite/Magento/GraphQlCache.
So if you could move this "CorsGraphQlTest" to the appropriate directory and update the namespace, that'd be great.
Please check any of the existing Graphql integration test
( ex: CategoriesWithProductsCacheTest.php) for reference
Also, please remember to run this test locally to make sure there are no failures.
Thanks!
m2-community-project
bot
added
Progress: needs update
and removed
Progress: pending review
labels
|
@magento run all tests |
|
@G-Arvind , Looks like the below test is failing consistently. Not sure if you were able to reproduce this failure locally. Can you please take a look ? Might want to sync your branch with mainline/2.4-develop. |
| $this->assertNotFalse($response->getHeader('Access-Control-Allow-Origin')); | ||
| $this->assertNotFalse($response->getHeader('Access-Control-Allow-Headers')); | ||
| $this->assertNotFalse($response->getHeader('Access-Control-Allow-Methods')); | ||
| $this->assertNotFalse($response->getHeader('Access-Control-Max-Age')); |
There was a problem hiding this comment.
@G-Arvind , Please make sure to assert that the $response ->getContent() doesn't have any errors. Also, to assert that you get the productData back.
There was a problem hiding this comment.
Verified that the response is not having any errors, also validated the response
| $this->assertFalse($response->getHeader('Access-Control-Allow-Headers')); | ||
| $this->assertFalse($response->getHeader('Access-Control-Allow-Methods')); | ||
| $this->assertFalse($response->getHeader('Access-Control-Max-Age')); | ||
| } |
There was a problem hiding this comment.
It'd be great if you could add an additional use case by setting the http method "OPTIONS" to the request since CORS allow this method. Please remember to add the assertion that the response doesn't have any errors.
Thanks.
There was a problem hiding this comment.
Added OPTIONS test case with error validation.
m2-community-project
bot
added
Progress: review
and removed
Progress: needs update
labels
|
This is clearly a copy-pasta of my module. https://github.com/graycoreio/magento2-cors While my code is MIT-licensed, you can't simply rename a class and remove my copyright. Please at least add the appropriate attribution. |
|
If Magento merges this without the copyright they're also in copyright violation 🙊 |
@damienwebdev thanks for pointing it out. We will review this issue. |
|
@damienwebdev thanks for raising this issue, we're going to hold this PR while we review this internally and determine the best course of action. Rest assured we always intend to attribute the correct author in any work contributed. |
Hi @damienwebdev , the intention was not to copy paste and i also didn't copy paste your work, i kept your module as an inspiration/reference and re-created the functionality, the requirements are also same like using env for storing config instead of saving in admin etc. So it is appearing as a copy paste. Iterating again, i had no intention to copy paste your module. Thanks. I have added appropriate attribution, sorry for missing it out earlier. Thanks. |
|
@G-Arvind, not particularly mad about it. I just want to make sure the attribution is included. If we want to discuss specifics of the PR where I'm concerned you did in-fact copy-paste... Yes, you made two small improvements to the function, and you moved the function. But, the body of that function is otherwise a raw copy/paste with some small modifications. I'll gladly admit that the module is not something mind-blowingly novel and the HeaderProvider behavior is a core feature that we both utilize, so the similarities of those are natural products of Core. Your constant choices are eerily similar (albeit natural). Your interfacing is also eerily similar, yours and mine Finally, it's rather suspicious that your code is missing I get that you took inspiration from my code -- it's MIT-licensed intentionally. But, it's important that if you're going to use someone else's code, you properly attribute it. Simply including in the PR @damienwebdev or referencing the repo on the Github PR would have been sufficient so that your reviewers know that the code came from somewhere. This is also an important part of the Adobe CLA -- you agreed when you signed it that your code is in-fact your own and not based upon anyone else's.
Is enough to get Adobe into trouble if this code had been merged without attribution. I would wholly have been in my rights to DMCA the Magento 2 repo for that. Would I do that? Absolutely not, that would be stupid and the antithesis of the progress that FOSS works towards. |
|
As a code-review comment, to move past the copyright issues: I also think that this PR is incomplete as it stands. Many of the features that are included in my module are missing from here. For example, there's a nasty DoS vulnerability (I leave this to the reader to figure out on their own) that can occur if you use this code with an http in-memory cache (e.g. Varnish) and do not include the Vary header. In addition, these are the following necessary headers Access-Control-Allow-Origin
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Access-Control-Max-Age
Access-Control-Expose-Headers
Access-Control-Allow-CredentialsYou are missing Additionally, you should not apply the headers to both the preflight request AND the actual request, you should apply to both, and specifically to the Preflight only. |
|
@nrkapoor merging this PR will also necessitate changes to existing VCL for Varnish, idk who the CodeOwners of Varnish are, could you include them as reviewers as well? |
m2-community-project
bot
added
Progress: pending review
and removed
Progress: review
labels
m2-community-project
bot
added
Progress: review
and removed
Progress: pending review
labels
Description (*)
Added support for CORS in Magento 2 GraphQl
This PR was Inspired from https://github.com/graycoreio/magento2-cors.
Related Pull Requests
Fixed Issues (if relevant)
Manual testing scenarios (*)
env.phpadd the allowed origins, methods, max-age, headers, and allow credentials detailsQuestions or comments
Sample configuration (env.php)
to allow all origins
cors_allowed_origins=>*Contribution checklist (*)