Skip to content

Commit

Permalink
fix: make CORS work on dev server and API v3 (#8392)
Browse files Browse the repository at this point in the history
  • Loading branch information
stephanegigandet authored May 11, 2023
1 parent efa8c72 commit a0cfac9
Show file tree
Hide file tree
Showing 7 changed files with 41 additions and 8 deletions.
7 changes: 5 additions & 2 deletions lib/ProductOpener/API.pm
Original file line number Diff line number Diff line change
Expand Up @@ -374,10 +374,13 @@ sub process_api_request ($request_ref) {
# Product read or write
if ($request_ref->{api_action} eq "product") {

if ($request_ref->{api_method} eq "PATCH") {
if ($request_ref->{api_method} eq "OPTIONS") {
# Just return CORS headers
}
elsif ($request_ref->{api_method} eq "PATCH") {
write_product_api($request_ref);
}
elsif ($request_ref->{api_method} =~ /^(GET|HEAD|OPTIONS)$/) {
elsif ($request_ref->{api_method} =~ /^(GET|HEAD)$/) {
read_product_api($request_ref);
}
else {
Expand Down
3 changes: 2 additions & 1 deletion lib/ProductOpener/APITest.pm
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,8 @@ sub execute_api_tests ($file, $tests_ref, $ua = undef) {
$response = $test_ua->delete(
$url,
Content => encode_utf8($test_ref->{body}),
"Content-Type" => "application/json; charset=utf-8" % $headers_in,
"Content-Type" => "application/json; charset=utf-8",
%$headers_in,
);
}
elsif ($method eq 'PATCH') {
Expand Down
6 changes: 3 additions & 3 deletions lib/ProductOpener/HTTP.pm
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ C<ProductOpener::Web> consists of functions used only in OpenFoodFacts website f
The module implements http utilities to use in different part of the code.
FIXME: a lot of fuctions in Display.pm should be moved here.
FIXME: a lot of functions in Display.pm should be moved here.
=cut

Expand Down Expand Up @@ -61,7 +61,7 @@ use ProductOpener::Config qw/:all/;
=head2 get_cors_headers($allow_credentials = 0, $sub_domain_only = 0)
We handle CORS headers from perl code, NGINX should not interfere.
We handle CORS headers from Perl code, NGINX should not interfere.
So this is the central place for it.
Some parts needs to be more strict than others (eg. auth).
Expand Down Expand Up @@ -129,7 +129,7 @@ sub get_cors_headers ($allow_credentials = 0, $sub_domain_only = 0) {
# be generous on methods and headers, it does not hurt
$headers_ref->{"Access-Control-Allow-Methods"} = "HEAD, GET, PATCH, POST, PUT, OPTIONS";
$headers_ref->{"Access-Control-Allow-Headers"}
= "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,If-None-Match";
= "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,If-None-Match,Authorization";
$headers_ref->{"Access-Control-Expose-Headers"} = "Content-Length,Content-Range";

return $headers_ref;
Expand Down
6 changes: 6 additions & 0 deletions stop_words.txt
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ APIProductWrite
appid
aromatisées
arôme
auth
autocomplete
backend
backticks
Expand All @@ -44,6 +45,7 @@ CodeOnline
colza
Config
contenant
CORS
couvercle
Crowdin
csv
Expand All @@ -66,6 +68,7 @@ EXIF
Fabriqué
filehandle
FILEHANDLE
FIXME
flavour
flavouring
flavourings
Expand Down Expand Up @@ -130,6 +133,7 @@ NaN
naturel
nd
NGO
NGINX
nodejs
nutri
Nutri
Expand All @@ -146,6 +150,7 @@ packagings
param
Pâtes
pectine
Perl
png
PNG
PNNS
Expand Down Expand Up @@ -189,6 +194,7 @@ tagtype
taxonomize
taxonomized
tesseract
tld
TODO
TSV
ua
Expand Down
11 changes: 11 additions & 0 deletions tests/integration/api_v3_product_write.t
Original file line number Diff line number Diff line change
Expand Up @@ -593,6 +593,17 @@ my $tests_ref = [
path => '/api/v3/product/test',
body => '{"product": { "ingredients_text_en": "milk 80%, sugar, cocoa powder"}}',
},
{
test_case => 'options-code-test',
method => 'OPTIONS',
path => '/api/v3/product/test',
body => '{"product": { "ingredients_text_en": "milk 80%, sugar, cocoa powder"}}',
headers => {
"Access-Control-Allow-Origin" => "*",
"Access-Control-Allow-Methods" => "HEAD, GET, PATCH, POST, PUT, OPTIONS",
},
expected_type => "html",
},
{
test_case => 'patch-unrecognized-field',
method => 'PATCH',
Expand Down
14 changes: 13 additions & 1 deletion tests/integration/cors.t
Original file line number Diff line number Diff line change
Expand Up @@ -60,11 +60,23 @@ my $tests_ref = [
},
expected_type => "html",
},
# Note: in API v3, we return a 200 status code for OPTIONS, even if the product does not exist
{
test_case => 'options-api-v3',
method => 'OPTIONS',
path => '/api/v3/product/0000002',
expected_status_code => 404,
expected_status_code => 200,
headers => {
"Access-Control-Allow-Origin" => "*",
"Access-Control-Allow-Methods" => "HEAD, GET, PATCH, POST, PUT, OPTIONS",
},
expected_type => "html",
},
{
test_case => 'options-api-v3-test-product',
method => 'OPTIONS',
path => '/api/v3/product/test',
expected_status_code => 200,
headers => {
"Access-Control-Allow-Origin" => "*",
"Access-Control-Allow-Methods" => "HEAD, GET, PATCH, POST, PUT, OPTIONS",
Expand Down
2 changes: 1 addition & 1 deletion tests/unit/http.t
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ sub fake_headers_in ($fake_arg) {
my $expected_base_ref = {
"Access-Control-Allow-Methods" => "HEAD, GET, PATCH, POST, PUT, OPTIONS",
"Access-Control-Allow-Headers" =>
"DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,If-None-Match",
"DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,If-None-Match,Authorization",
"Access-Control-Expose-Headers" => "Content-Length,Content-Range",
};

Expand Down

0 comments on commit a0cfac9

Please sign in to comment.