authelia/internal/middlewares/cors.go
James Elliott a8f5a70b03
feat(oidc): add automatic allow all cors to discovery (#2953)
This adds a Cross Origin Resource Sharing policy that automatically allows any cross-origin request to the OpenID Connect discovery documents.
2022-03-04 15:46:12 +11:00

54 lines
1.9 KiB
Go

package middlewares
import (
"net/url"
"strings"
"github.com/valyala/fasthttp"
)
// CORSApplyAutomaticAllowAllPolicy applies a CORS policy that automatically grants all Origins as well
// as all Request Headers other than Cookie and *. It does not allow credentials, and has a max age of 100. Vary is applied
// to both Accept-Encoding and Origin. It grants the GET Request Method only.
func CORSApplyAutomaticAllowAllPolicy(next RequestHandler) RequestHandler {
return func(ctx *AutheliaCtx) {
if origin := ctx.Request.Header.PeekBytes(headerOrigin); origin != nil {
corsApplyAutomaticAllowAllPolicy(&ctx.Request, &ctx.Response, origin)
}
next(ctx)
}
}
func corsApplyAutomaticAllowAllPolicy(req *fasthttp.Request, resp *fasthttp.Response, origin []byte) {
originURL, err := url.Parse(string(origin))
if err != nil || originURL.Scheme != "https" {
return
}
resp.Header.SetBytesKV(headerVary, headerValueVary)
resp.Header.SetBytesKV(headerAccessControlAllowOrigin, origin)
resp.Header.SetBytesKV(headerAccessControlAllowCredentials, headerValueFalse)
resp.Header.SetBytesKV(headerAccessControlMaxAge, headerValueMaxAge)
if headers := req.Header.PeekBytes(headerAccessControlRequestHeaders); headers != nil {
requestedHeaders := strings.Split(string(headers), ",")
allowHeaders := make([]string, len(requestedHeaders))
for i, header := range requestedHeaders {
headerTrimmed := strings.Trim(header, " ")
if !strings.EqualFold("*", headerTrimmed) && !strings.EqualFold("Cookie", headerTrimmed) {
allowHeaders[i] = headerTrimmed
}
}
if len(allowHeaders) != 0 {
resp.Header.SetBytesKV(headerAccessControlAllowHeaders, []byte(strings.Join(allowHeaders, ", ")))
}
}
if requestMethods := req.Header.PeekBytes(headerAccessControlRequestMethod); requestMethods != nil {
resp.Header.SetBytesKV(headerAccessControlAllowMethods, requestMethods)
}
}