Add CORS headers to API-like routes

2025-07-31 09:24:31 +03:00 · 2022-04-07 16:25:42 +02:00
parent b43817e66c
commit bc24e30867
8 changed files with 86 additions and 21 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -2128,6 +2128,7 @@ dependencies = [
 "thiserror",
 "tokio",
 "tower",
+ "tower-http",
 "tracing",
 "url",
 ]
@ -2143,6 +2144,7 @@ dependencies = [
 "http-body",
 "hyper",
 "hyper-rustls 0.23.0",
+ "once_cell",
 "opentelemetry",
 "opentelemetry-http",
 "opentelemetry-semantic-conventions",
--- a/crates/axum-utils/Cargo.toml
+++ b/crates/axum-utils/Cargo.toml
@ -34,3 +34,5 @@ mas-storage = { path = "../storage" }
 mas-data-model = { path = "../data-model" }
 mas-jose = { path = "../jose" }
 mas-iana = { path = "../iana" }
+
+[features]
--- a/crates/cli/src/telemetry.rs
+++ b/crates/cli/src/telemetry.rs
@ -40,7 +40,7 @@ pub fn setup(config: &TelemetryConfig) -> anyhow::Result<Option<Tracer>> {

    // The CORS filter needs to know what headers it should whitelist for
    // CORS-protected requests.
-    // TODO mas_warp_utils::filters::cors::set_propagator(&propagator);
+    mas_http::set_propagator(&propagator);
    global::set_text_map_propagator(propagator);

    let tracer = tracer(&config.tracing.exporter)?;
--- a/crates/handlers/Cargo.toml
+++ b/crates/handlers/Cargo.toml
@ -22,6 +22,7 @@ anyhow = "1.0.56"
 # Web server
 hyper = { version = "0.14.18", features = ["full"] }
 tower = "0.4.12"
+tower-http = { version = "0.2.5", features = ["cors"] }
 axum = "0.5.1"
 axum-macros = "0.2.0"

--- a/crates/handlers/src/lib.rs
+++ b/crates/handlers/src/lib.rs
@ -19,7 +19,7 @@
    clippy::unused_async // Some axum handlers need that
 )]

-use std::sync::Arc;
+use std::{sync::Arc, time::Duration};

 use axum::{
    body::HttpBody,
@ -27,12 +27,15 @@ use axum::{
    routing::{get, on, post, MethodFilter},
    Router,
 };
+use hyper::header::AUTHORIZATION;
 use mas_axum_utils::UrlBuilder;
 use mas_config::Encrypter;
 use mas_email::Mailer;
+use mas_http::CorsLayerExt;
 use mas_jose::StaticKeystore;
 use mas_templates::Templates;
 use sqlx::PgPool;
+use tower_http::cors::{Any, CorsLayer};

 mod health;
 mod oauth2;
@ -52,6 +55,33 @@ where
    <B as HttpBody>::Data: Send,
    <B as HttpBody>::Error: std::error::Error + Send + Sync,
 {
+    // All those routes are API-like, with a common CORS layer
+    let api_router = Router::new()
+        .route(
+            "/.well-known/openid-configuration",
+            get(self::oauth2::discovery::get),
+        )
+        .route("/oauth2/keys.json", get(self::oauth2::keys::get))
+        .route(
+            "/oauth2/userinfo",
+            on(
+                MethodFilter::POST | MethodFilter::GET,
+                self::oauth2::userinfo::get,
+            ),
+        )
+        .route(
+            "/oauth2/introspect",
+            post(self::oauth2::introspection::post),
+        )
+        .route("/oauth2/token", post(self::oauth2::token::post))
+        .layer(
+            CorsLayer::new()
+                .allow_origin(Any)
+                .allow_methods(Any)
+                .allow_otel_headers([AUTHORIZATION])
+                .max_age(Duration::from_secs(60 * 60)),
+        );
+
    Router::new()
        .route("/", get(self::views::index::get))
        .route("/health", get(self::health::get))
@ -78,28 +108,12 @@ where
            "/account/emails",
            get(self::views::account::emails::get).post(self::views::account::emails::post),
        )
-        .route(
-            "/.well-known/openid-configuration",
-            get(self::oauth2::discovery::get),
-        )
-        .route("/oauth2/keys.json", get(self::oauth2::keys::get))
-        .route(
-            "/oauth2/userinfo",
-            on(
-                MethodFilter::POST | MethodFilter::GET,
-                self::oauth2::userinfo::get,
-            ),
-        )
-        .route(
-            "/oauth2/introspect",
-            post(self::oauth2::introspection::post),
-        )
-        .route("/oauth2/token", post(self::oauth2::token::post))
        .route("/oauth2/authorize", get(self::oauth2::authorization::get))
        .route(
            "/oauth2/authorize/step",
            get(self::oauth2::authorization::step_get),
        )
+        .merge(api_router)
        .fallback(mas_static_files::Assets)
        .layer(Extension(pool.clone()))
        .layer(Extension(templates.clone()))
--- a/crates/http/Cargo.toml
+++ b/crates/http/Cargo.toml
@ -13,6 +13,7 @@ http = "0.2.6"
 http-body = "0.4.4"
 hyper = "0.14.18"
 hyper-rustls = { version = "0.23.0", features = ["http1", "http2"] }
+once_cell = "1.10.0"
 opentelemetry = "0.17.0"
 opentelemetry-http = "0.6.0"
 opentelemetry-semantic-conventions = "0.9.0"
@ -23,6 +24,6 @@ serde_json = "1.0.79"
 thiserror = "1.0.30"
 tokio = { version = "1.17.0", features = ["sync", "parking_lot"] }
 tower = { version = "0.4.12", features = ["timeout", "limit"] }
-tower-http = { version = "0.2.5", features = ["follow-redirect", "decompression-full", "set-header", "compression-full"] }
+tower-http = { version = "0.2.5", features = ["follow-redirect", "decompression-full", "set-header", "compression-full", "cors"] }
 tracing = "0.1.32"
 tracing-opentelemetry = "0.17.2"
--- a/crates/http/src/ext.rs
+++ b/crates/http/src/ext.rs
@ -12,8 +12,53 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+use http::header::HeaderName;
+use once_cell::sync::OnceCell;
+use tower_http::cors::CorsLayer;
+
 use crate::layers::json::Json;

+static PROPAGATOR_HEADERS: OnceCell<Vec<HeaderName>> = OnceCell::new();
+
+/// Notify the CORS layer what opentelemetry propagators are being used. This
+/// helps whitelisting headers in CORS requests.
+///
+/// # Panics
+///
+/// When called twice
+pub fn set_propagator(propagator: &dyn opentelemetry::propagation::TextMapPropagator) {
+    let headers = propagator
+        .fields()
+        .map(|h| HeaderName::try_from(h).unwrap())
+        .collect();
+
+    tracing::debug!(
+        ?headers,
+        "Headers allowed in CORS requests for trace propagators set"
+    );
+    PROPAGATOR_HEADERS
+        .set(headers)
+        .expect(concat!(module_path!(), "::set_propagator was called twice"));
+}
+
+pub trait CorsLayerExt {
+    #[must_use]
+    fn allow_otel_headers<H>(self, headers: H) -> Self
+    where
+        H: IntoIterator<Item = HeaderName>;
+}
+
+impl CorsLayerExt for CorsLayer {
+    fn allow_otel_headers<H>(self, headers: H) -> Self
+    where
+        H: IntoIterator<Item = HeaderName>,
+    {
+        let base = PROPAGATOR_HEADERS.get().cloned().unwrap_or_default();
+        let headers: Vec<_> = headers.into_iter().chain(base.into_iter()).collect();
+        self.allow_headers(headers)
+    }
+}
+
 pub trait ServiceExt: Sized {
    fn json<T>(self) -> Json<Self, T>;
 }
--- a/crates/http/src/lib.rs
+++ b/crates/http/src/lib.rs
@ -47,7 +47,7 @@ mod future_service;
 mod layers;

 pub use self::{
-    ext::ServiceExt as HttpServiceExt,
+    ext::{set_propagator, CorsLayerExt, ServiceExt as HttpServiceExt},
    future_service::FutureService,
    layers::{client::ClientLayer, json::JsonResponseLayer, otel, server::ServerLayer},
 };