Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: allow cross-origin requests between users' own apps #7688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jun 7, 2023
Merged

feat: allow cross-origin requests between users' own apps #7688

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1a690f0
Allow cross-origin requests between users' own apps
code-asher May 25, 2023
d8a0ba9
Simplify CORS handler with AllowOriginFunc
code-asher May 31, 2023
45d3565
Break out workspace app cors handler
code-asher May 31, 2023
da1298a
Add tests for workspace app cors
code-asher May 31, 2023
1cb650a
Test options requests
code-asher May 31, 2023
e733304
Move test app into test cases
code-asher Jun 7, 2023
a0f2eb8
Recover accidentally removed newline
code-asher Jun 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Break out workspace app cors handler 
This will make it easier to test.
  • Loading branch information
@code-asher
code-asher committed Jun 7, 2023
commit 45d3565e849380893de81777093f9234158e8864
34 changes: 34 additions & 0 deletions coderd/httpmw/cors.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,12 @@ package httpmw

import (
"net/http"
"net/url"
"regexp"

"github.com/go-chi/cors"

"github.com/coder/coder/coderd/httpapi"
)

//nolint:revive
Expand All @@ -25,3 +29,33 @@ func Cors(allowAll bool, origins ...string) func(next http.Handler) http.Handler
AllowCredentials: false,
})
}

func WorkspaceAppCors(regex *regexp.Regexp, app httpapi.ApplicationURL) func(next http.Handler) http.Handler {
return cors.Handler(cors.Options{
AllowOriginFunc: func(r *http.Request, rawOrigin string) bool {
origin, err := url.Parse(rawOrigin)
if rawOrigin == "" || origin.Host == "" || err != nil {
return false
}
subdomain, ok := httpapi.ExecuteHostnamePattern(regex, origin.Host)
if !ok {
return false
}
originApp, err := httpapi.ParseSubdomainAppURL(subdomain)
if err != nil {
return false
}
return ok && originApp.Username == app.Username
},
AllowedMethods: []string{
http.MethodHead,
http.MethodGet,
http.MethodPost,
http.MethodPut,
http.MethodPatch,
http.MethodDelete,
},
AllowedHeaders: []string{"*"},
AllowCredentials: true,
})
}
34 changes: 1 addition & 33 deletions coderd/workspaceapps/proxy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ import (
"sync"

"github.com/go-chi/chi/v5"
"github.com/go-chi/cors"
"github.com/google/uuid"
"go.opentelemetry.io/otel/trace"
"nhooyr.io/websocket"
Expand Down Expand Up @@ -364,22 +363,7 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)

// Use the passed in app middlewares before checking authentication and
// passing to the proxy app.
mws := chi.Middlewares(append(middlewares, cors.Handler(cors.Options{
AllowOriginFunc: func(r *http.Request, origin string) bool {
originApp, ok := s.parseOrigin(origin)
return ok && originApp.Username == app.Username
},
AllowedMethods: []string{
http.MethodHead,
http.MethodGet,
http.MethodPost,
http.MethodPut,
http.MethodPatch,
http.MethodDelete,
},
AllowedHeaders: []string{"*"},
AllowCredentials: true,
})))
mws := chi.Middlewares(append(middlewares, httpmw.WorkspaceAppCors(s.HostnameRegex, app)))
mws.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
if !s.handleAPIKeySmuggling(rw, r, AccessMethodSubdomain) {
return
Expand Down Expand Up @@ -411,22 +395,6 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)
}
}

func (s *Server) parseOrigin(rawOrigin string) (httpapi.ApplicationURL, bool) {
origin, err := url.Parse(rawOrigin)
if rawOrigin == "" || origin.Host == "" || err != nil {
return httpapi.ApplicationURL{}, false
}
subdomain, ok := httpapi.ExecuteHostnamePattern(s.HostnameRegex, origin.Host)
if !ok {
return httpapi.ApplicationURL{}, false
}
app, err := httpapi.ParseSubdomainAppURL(subdomain)
if err != nil {
return httpapi.ApplicationURL{}, false
}
return app, true
}

// parseHostname will return if a given request is attempting to access a
// workspace app via a subdomain. If it is, the hostname of the request is parsed
// into an httpapi.ApplicationURL and true is returned. If the request is not
Expand Down