Merge branch 'master' into master

src/RpcServer/RpcServer.cs

@@ -54,9 +54,14 @@ private bool CheckAuth(HttpContext context)
         {
             if (string.IsNullOrEmpty(settings.RpcUser)) return true;
 
-            context.Response.Headers["WWW-Authenticate"] = "Basic realm=\"Restricted\"";
-
             string reqauth = context.Request.Headers["Authorization"];
+            if (string.IsNullOrEmpty(reqauth))
+            {
+                context.Response.Headers["WWW-Authenticate"] = "Basic realm=\"Restricted\"";
+                context.Response.StatusCode = 401;
+                return false;
+            }
+
             string authstring;
             try
             {
@@ -112,10 +117,14 @@ public void StartRpcServer()
                 options.Limits.MaxRequestLineSize = Math.Min(settings.MaxRequestBodySize, options.Limits.MaxRequestLineSize);
                 // Default value is 40
                 options.Limits.MaxConcurrentConnections = settings.MaxConcurrentConnections;
+
                 // Default value is 1 minutes
-                options.Limits.KeepAliveTimeout = TimeSpan.FromMinutes(1);
+                options.Limits.KeepAliveTimeout = settings.KeepAliveTimeout == -1 ?
+                    TimeSpan.MaxValue :
+                    TimeSpan.FromSeconds(settings.KeepAliveTimeout);
+
                 // Default value is 15 seconds
-                options.Limits.RequestHeadersTimeout = TimeSpan.FromSeconds(15);
+                options.Limits.RequestHeadersTimeout = TimeSpan.FromSeconds(settings.RequestHeadersTimeout);
 
                 if (string.IsNullOrEmpty(settings.SslCert)) return;
                 listenOptions.UseHttps(settings.SslCert, settings.SslCertPassword, httpsConnectionAdapterOptions =>
@@ -134,11 +143,41 @@ public void StartRpcServer()
             }))
             .Configure(app =>
             {
+                if (settings.EnableCors)
+                    app.UseCors("All");
+
                 app.UseResponseCompression();
                 app.Run(ProcessAsync);
             })
             .ConfigureServices(services =>
             {
+                if (settings.EnableCors)
+                {
+                    if (settings.AllowOrigins.Length == 0)
+                        services.AddCors(options =>
+                        {
+                            options.AddPolicy("All", policy =>
+                            {
+                                policy.AllowAnyOrigin()
+                                .WithHeaders("Content-Type")
+                                .WithMethods("GET", "POST");
+                                // The CORS specification states that setting origins to "*" (all origins)
+                                // is invalid if the Access-Control-Allow-Credentials header is present.
+                            });
+                        });
+                    else
+                        services.AddCors(options =>
+                        {
+                            options.AddPolicy("All", policy =>
+                            {
+                                policy.WithOrigins(settings.AllowOrigins)
+                                .WithHeaders("Content-Type")
+                                .AllowCredentials()
+                                .WithMethods("GET", "POST");
+                            });
+                        });
+                }
+
                 services.AddResponseCompression(options =>
                 {
                     // options.EnableForHttps = false;
@@ -163,10 +202,6 @@ internal void UpdateSettings(RpcServerSettings settings)
 
         public async Task ProcessAsync(HttpContext context)
         {
-            context.Response.Headers["Access-Control-Allow-Origin"] = "*";
-            context.Response.Headers["Access-Control-Allow-Methods"] = "GET, POST";
-            context.Response.Headers["Access-Control-Allow-Headers"] = "Content-Type";
-            context.Response.Headers["Access-Control-Max-Age"] = "31536000";
             if (context.Request.Method != "GET" && context.Request.Method != "POST") return;
             JToken request = null;
             if (context.Request.Method == "GET")

src/RpcServer/RpcServerPlugin.cs

@@ -42,6 +42,16 @@ protected override void OnSystemLoaded(NeoSystem system)
             RpcServerSettings s = settings.Servers.FirstOrDefault(p => p.Network == system.Settings.Network);
             if (s is null) return;
 
+            if (s.EnableCors && string.IsNullOrEmpty(s.RpcUser) == false && s.AllowOrigins.Length == 0)
+            {
+                Log("RcpServer: CORS is misconfigured!", LogLevel.Warning);
+                Log($"You have {nameof(s.EnableCors)} and Basic Authentication enabled but " +
+                $"{nameof(s.AllowOrigins)} is empty in config.json for RcpServer. " +
+                "You must add url origins to the list to have CORS work from " +
+                $"browser with basic authentication enabled. " +
+                $"Example: \"AllowOrigins\": [\"http://{s.BindAddress}:{s.Port}\"]", LogLevel.Info);
+            }
+
             RpcServer server = new(system, s);
 
             if (handlers.Remove(s.Network, out var list))

src/RpcServer/Settings.cs

@@ -39,6 +39,10 @@ public record RpcServerSettings
         public int MaxRequestBodySize { get; init; }
         public string RpcUser { get; init; }
         public string RpcPass { get; init; }
+        public bool EnableCors { get; init; }
+        public string[] AllowOrigins { get; init; }
+        public int KeepAliveTimeout { get; init; }
+        public uint RequestHeadersTimeout { get; init; }
         public long MaxGasInvoke { get; init; }
         public long MaxFee { get; init; }
         public int MaxIteratorResultItems { get; init; }
@@ -57,6 +61,10 @@ public record RpcServerSettings
             MaxGasInvoke = (long)new BigDecimal(10M, NativeContract.GAS.Decimals).Value,
             MaxFee = (long)new BigDecimal(0.1M, NativeContract.GAS.Decimals).Value,
             TrustedAuthorities = Array.Empty<string>(),
+            EnableCors = true,
+            AllowOrigins = Array.Empty<string>(),
+            KeepAliveTimeout = 60,
+            RequestHeadersTimeout = 15,
             MaxIteratorResultItems = 100,
             MaxStackSize = ushort.MaxValue,
             DisabledMethods = Array.Empty<string>(),
@@ -77,6 +85,10 @@ public record RpcServerSettings
             TrustedAuthorities = section.GetSection("TrustedAuthorities").GetChildren().Select(p => p.Get<string>()).ToArray(),
             RpcUser = section.GetSection("RpcUser").Value,
             RpcPass = section.GetSection("RpcPass").Value,
+            EnableCors = section.GetValue(nameof(EnableCors), Default.EnableCors),
+            AllowOrigins = section.GetSection(nameof(AllowOrigins)).GetChildren().Select(p => p.Get<string>()).ToArray(),
+            KeepAliveTimeout = section.GetValue(nameof(KeepAliveTimeout), Default.KeepAliveTimeout),
+            RequestHeadersTimeout = section.GetValue(nameof(RequestHeadersTimeout), Default.RequestHeadersTimeout),
             MaxGasInvoke = (long)new BigDecimal(section.GetValue<decimal>("MaxGasInvoke", Default.MaxGasInvoke), NativeContract.GAS.Decimals).Value,
             MaxFee = (long)new BigDecimal(section.GetValue<decimal>("MaxFee", Default.MaxFee), NativeContract.GAS.Decimals).Value,
             MaxIteratorResultItems = section.GetValue("MaxIteratorResultItems", Default.MaxIteratorResultItems),

src/RpcServer/config.json

@@ -10,6 +10,10 @@
         "TrustedAuthorities": [],
         "RpcUser": "",
         "RpcPass": "",
+        "EnableCors": true,
+        "AllowOrigins": [],
+        "KeepAliveTimeout": 60,
+        "RequestHeadersTimeout": 15,
         "MaxGasInvoke": 20,
         "MaxFee": 0.1,
         "MaxConcurrentConnections": 40,