Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d8a0ba9

Browse files
code-ashercode-asher
committed
Simplify CORS handler with AllowOriginFunc
1 parent 1a690f0 commit d8a0ba9

File tree

2 files changed

+16
-32
lines changed

2 files changed

+16
-32
lines changed

coderd/coderd.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -419,10 +419,7 @@ func New(options *Options) *API {
419419
//
420420
// Workspace apps do their own auth and CORS and must be BEFORE the auth
421421
// and CORS middleware.
422-
// REVIEW: Would it be worth creating httpmw.ExtractWorkspaceApp and using a
423-
// single CORS middleware?
424422
api.workspaceAppServer.HandleSubdomain(apiRateLimiter),
425-
// REVIEW: Is it OK that CORS come after the above middleware?
426423
cors,
427424
// Build-Version is helpful for debugging.
428425
func(next http.Handler) http.Handler {

coderd/workspaceapps/proxy.go

Lines changed: 16 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -362,37 +362,24 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)
362362
return
363363
}
364364

365-
// REVIEW: Like mentioned in coderd.go maybe we should extract the app
366-
// using middleware that way we can do this in a single top-level CORS
367-
// handler? Or just do the URL parsing twice.
368-
var corsmw func(next http.Handler) http.Handler
369-
origin := r.Header.Get("Origin")
370-
if originApp, ok := s.parseOrigin(origin); ok && originApp.Username == app.Username {
371-
corsmw = cors.Handler(cors.Options{
372-
AllowedOrigins: []string{origin},
373-
AllowedMethods: []string{
374-
http.MethodHead,
375-
http.MethodGet,
376-
http.MethodPost,
377-
http.MethodPut,
378-
http.MethodPatch,
379-
http.MethodDelete,
380-
},
381-
AllowedHeaders: []string{"*"},
382-
AllowCredentials: true,
383-
})
384-
} else {
385-
corsmw = cors.Handler(cors.Options{
386-
AllowedOrigins: []string{""}, // The middleware defaults to *.
387-
AllowedMethods: []string{},
388-
AllowedHeaders: []string{},
389-
AllowCredentials: false,
390-
})
391-
}
392-
393365
// Use the passed in app middlewares before checking authentication and
394366
// passing to the proxy app.
395-
mws := chi.Middlewares(append(middlewares, corsmw))
367+
mws := chi.Middlewares(append(middlewares, cors.Handler(cors.Options{
368+
AllowOriginFunc: func(r *http.Request, origin string) bool {
369+
originApp, ok := s.parseOrigin(origin)
370+
return ok && originApp.Username == app.Username
371+
},
372+
AllowedMethods: []string{
373+
http.MethodHead,
374+
http.MethodGet,
375+
http.MethodPost,
376+
http.MethodPut,
377+
http.MethodPatch,
378+
http.MethodDelete,
379+
},
380+
AllowedHeaders: []string{"*"},
381+
AllowCredentials: true,
382+
})))
396383
mws.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
397384
if !s.handleAPIKeySmuggling(rw, r, AccessMethodSubdomain) {
398385
return

0 commit comments

Comments
 (0)