Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 45d3565

Browse files
code-ashercode-asher
committed
Break out workspace app cors handler
This will make it easier to test.
1 parent d8a0ba9 commit 45d3565

File tree

2 files changed

+35
-33
lines changed

2 files changed

+35
-33
lines changed

coderd/httpmw/cors.go

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,12 @@ package httpmw
22

33
import (
44
"net/http"
5+
"net/url"
6+
"regexp"
57

68
"github.com/go-chi/cors"
9+
10+
"github.com/coder/coder/coderd/httpapi"
711
)
812

913
//nolint:revive
@@ -25,3 +29,33 @@ func Cors(allowAll bool, origins ...string) func(next http.Handler) http.Handler
2529
AllowCredentials: false,
2630
})
2731
}
32+
33+
func WorkspaceAppCors(regex *regexp.Regexp, app httpapi.ApplicationURL) func(next http.Handler) http.Handler {
34+
return cors.Handler(cors.Options{
35+
AllowOriginFunc: func(r *http.Request, rawOrigin string) bool {
36+
origin, err := url.Parse(rawOrigin)
37+
if rawOrigin == "" || origin.Host == "" || err != nil {
38+
return false
39+
}
40+
subdomain, ok := httpapi.ExecuteHostnamePattern(regex, origin.Host)
41+
if !ok {
42+
return false
43+
}
44+
originApp, err := httpapi.ParseSubdomainAppURL(subdomain)
45+
if err != nil {
46+
return false
47+
}
48+
return ok && originApp.Username == app.Username
49+
},
50+
AllowedMethods: []string{
51+
http.MethodHead,
52+
http.MethodGet,
53+
http.MethodPost,
54+
http.MethodPut,
55+
http.MethodPatch,
56+
http.MethodDelete,
57+
},
58+
AllowedHeaders: []string{"*"},
59+
AllowCredentials: true,
60+
})
61+
}

coderd/workspaceapps/proxy.go

Lines changed: 1 addition & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ import (
1313
"sync"
1414

1515
"github.com/go-chi/chi/v5"
16-
"github.com/go-chi/cors"
1716
"github.com/google/uuid"
1817
"go.opentelemetry.io/otel/trace"
1918
"nhooyr.io/websocket"
@@ -364,22 +363,7 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)
364363

365364
// Use the passed in app middlewares before checking authentication and
366365
// passing to the proxy app.
367-
mws := chi.Middlewares(append(middlewares, cors.Handler(cors.Options{
368-
AllowOriginFunc: func(r *http.Request, origin string) bool {
369-
originApp, ok := s.parseOrigin(origin)
370-
return ok && originApp.Username == app.Username
371-
},
372-
AllowedMethods: []string{
373-
http.MethodHead,
374-
http.MethodGet,
375-
http.MethodPost,
376-
http.MethodPut,
377-
http.MethodPatch,
378-
http.MethodDelete,
379-
},
380-
AllowedHeaders: []string{"*"},
381-
AllowCredentials: true,
382-
})))
366+
mws := chi.Middlewares(append(middlewares, httpmw.WorkspaceAppCors(s.HostnameRegex, app)))
383367
mws.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
384368
if !s.handleAPIKeySmuggling(rw, r, AccessMethodSubdomain) {
385369
return
@@ -411,22 +395,6 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)
411395
}
412396
}
413397

414-
func (s *Server) parseOrigin(rawOrigin string) (httpapi.ApplicationURL, bool) {
415-
origin, err := url.Parse(rawOrigin)
416-
if rawOrigin == "" || origin.Host == "" || err != nil {
417-
return httpapi.ApplicationURL{}, false
418-
}
419-
subdomain, ok := httpapi.ExecuteHostnamePattern(s.HostnameRegex, origin.Host)
420-
if !ok {
421-
return httpapi.ApplicationURL{}, false
422-
}
423-
app, err := httpapi.ParseSubdomainAppURL(subdomain)
424-
if err != nil {
425-
return httpapi.ApplicationURL{}, false
426-
}
427-
return app, true
428-
}
429-
430398
// parseHostname will return if a given request is attempting to access a
431399
// workspace app via a subdomain. If it is, the hostname of the request is parsed
432400
// into an httpapi.ApplicationURL and true is returned. If the request is not

0 commit comments

Comments
 (0)