Skip to content

Commit

Permalink
cmd: Added cors support to host process
Browse files Browse the repository at this point in the history
Closes #506
  • Loading branch information
arekkas committed Nov 26, 2017
1 parent 0a83f1b commit b5c1c38
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 2 deletions.
8 changes: 7 additions & 1 deletion Gopkg.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 26 additions & 0 deletions cmd/host.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ you can also set environments by prepending key value pairs: "KEY=VALUE KEY2=VAL
All possible controls are listed below. The host process additionally exposes a few flags, which are listed below
the controls section.
CORE CONTROLS
=============
Expand Down Expand Up @@ -110,6 +111,7 @@ OAUTH2 CONTROLS
- SCOPE_STRATEGY: Set this to DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY to enable the deprecated hierarchical scope strategy.
This is required if you do not want to migrate to the new wildcard strategy.
HTTPS CONTROLS
==============
Expand All @@ -132,6 +134,30 @@ HTTPS CONTROLS
Example: HTTPS_TLS_KEY="-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg..."
CORS CONTROLS
==============
- CORS_ALLOWED_ORIGINS: A list of origins (comma separated values) a cross-domain request can be executed from.
If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality.
Only one wildcard can be used per origin. The default value is *.
Example: CORS_ALLOWED_ORIGINS=http://*.domain.com,http://*.domain2.com
- CORS_ALLOWED_METHODS: A list of methods (comma separated values) the client is allowed to use with cross-domain
requests. Default value is simple methods (GET and POST).
Example: CORS_ALLOWED_METHODS=POST,GET,PUT
- CORS_ALLOWED_CREDENTIALS: Indicates whether the request can include user credentials like cookies, HTTP authentication
or client side SSL certificates. The default is false.
- CORS_DEBUG: Debugging flag adds additional output to debug server side CORS issues.
- CORS_MAX_AGE: Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
- CORS_ALLOWED_HEADERS: A list of non simple headers (comma separated values) the client is allowed to use with cross-domain requests.
- CORS_EXPOSED_HEADERS: Indicates which headers (comma separated values) are safe to expose to the API of a CORS API specification.
DEBUG CONTROLS
==============
Expand Down
23 changes: 22 additions & 1 deletion cmd/server/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ import (
"net/url"
"os"

"strconv"
"strings"

"github.com/gorilla/context"
"github.com/julienschmidt/httprouter"
"github.com/meatballhat/negroni-logrus"
Expand All @@ -36,10 +39,27 @@ import (
"github.com/ory/hydra/warden/group"
"github.com/ory/ladon"
"github.com/pkg/errors"
"github.com/rs/cors"
"github.com/spf13/cobra"
"github.com/spf13/viper"
"github.com/urfave/negroni"
)

func parseCorsOptions() cors.Options {
allowCredentials, _ := strconv.ParseBool(viper.GetString("CORS_ALLOWED_CREDENTIALS"))
debug, _ := strconv.ParseBool(viper.GetString("CORS_DEBUG"))
maxAge, _ := strconv.Atoi(viper.GetString("CORS_MAX_AGE"))
return cors.Options{
AllowedOrigins: strings.Split(viper.GetString("CORS_ALLOWED_ORIGINS"), ","),
AllowedMethods: strings.Split(viper.GetString("CORS_ALLOWED_METHODS"), ","),
AllowedHeaders: strings.Split(viper.GetString("CORS_ALLOWED_HEADERS"), ","),
ExposedHeaders: strings.Split(viper.GetString("CORS_EXPOSED_HEADERS"), ","),
AllowCredentials: allowCredentials,
MaxAge: maxAge,
Debug: debug,
}
}

func RunHost(c *config.Config) func(cmd *cobra.Command, args []string) {
return func(cmd *cobra.Command, args []string) {
router := httprouter.New()
Expand Down Expand Up @@ -93,10 +113,11 @@ func RunHost(c *config.Config) func(cmd *cobra.Command, args []string) {
n.Use(negronilogrus.NewMiddlewareFromLogger(logger, c.Issuer))
n.UseFunc(serverHandler.rejectInsecureRequests)
n.UseHandler(router)
corsHandler := cors.New(parseCorsOptions()).Handler(n)

var srv = graceful.WithDefaults(&http.Server{
Addr: c.GetAddress(),
Handler: context.ClearHandler(n),
Handler: context.ClearHandler(corsHandler),
TLSConfig: &tls.Config{
Certificates: []tls.Certificate{getOrCreateTLSCertificate(cmd, c)},
},
Expand Down

0 comments on commit b5c1c38

Please sign in to comment.