Add support for CORS preflight (#1765)

6 years ago · e281ad7cc3
parent fe2cc803f7
commit e281ad7cc3
5 changed files with 59 additions and 7 deletions
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/PSGI/Try.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/PSGI/Try.pm
@ -8,15 +8,17 @@ our $VERSION = '2.0.6';
 extends 'Lemonldap::NG::Handler::PSGI::Router';

 has 'authRoutes' => (
-    is      => 'rw',
-    isa     => 'HashRef',
-    default => sub { { GET => {}, POST => {}, PUT => {}, DELETE => {} } }
+    is  => 'rw',
+    isa => 'HashRef',
+    default =>
+      sub { { GET => {}, POST => {}, PUT => {}, DELETE => {}, OPTIONS => {} } }
 );

 has 'unAuthRoutes' => (
-    is      => 'rw',
-    isa     => 'HashRef',
-    default => sub { { GET => {}, POST => {}, PUT => {}, DELETE => {} } }
+    is  => 'rw',
+    isa => 'HashRef',
+    default =>
+      sub { { GET => {}, POST => {}, PUT => {}, DELETE => {}, OPTIONS => {} } }
 );

 sub addRoute {
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
@ -157,6 +157,9 @@ sub init {
      # Refresh session
      ->addAuthRoute( refresh => 'refresh', ['GET'] )

+      ->addAuthRoute( '*' => 'corsPreflight', ['OPTIONS'] )
+      ->addUnauthRoute( '*' => 'corsPreflight', ['OPTIONS'] )
+
      # Logout
      ->addAuthRoute( logout => 'logout', ['GET'] );

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@ -1049,6 +1049,18 @@ sub _sumUpSession {
    return $res;
 }

+sub corsPreflight {
+    my ( $self, $req ) = @_;
+    my @headers;
+    if ( $self->conf->{corsEnabled} ) {
+        my @cors = split /;/, $self->cors;
+        push @headers, @cors;
+        $self->logger->debug('Apply following CORS policy :');
+        $self->logger->debug(" $_") for @cors;
+    }
+    return [ 204, \@headers, [] ];
+}
+
 # Temlate loader
 sub loadTemplate {
    my ( $self, $req, $name, %prm ) = @_;
--- a/lemonldap-ng-portal/t/01-CSP-and-CORS-headers.t
+++ b/lemonldap-ng-portal/t/01-CSP-and-CORS-headers.t
@ -33,12 +33,35 @@ ok(
 count(1);
 expectReject($res);

+# Test CORS "Preflight"
+ok( $res = $client->_options( '/', accept => 'text/html' ), 'Get Menu' );
+my %policy = @{ $res->[1] };
+count(1);
+
+# CORS
+ok( $policy{'Access-Control-Allow-Origin'} eq '', "CORS origin '' found" )
+  or print STDERR Dumper( $res->[1] );
+ok( $policy{'Access-Control-Allow-Credentials'} eq 'true',
+    "CORS credentials 'true' found" )
+  or print STDERR Dumper( $res->[1] );
+ok( $policy{'Access-Control-Allow-Headers'} eq '*', "CORS headers '*' found" )
+  or print STDERR Dumper( $res->[1] );
+ok( $policy{'Access-Control-Allow-Methods'} eq 'POST',
+    "CORS methods 'POST' found" )
+  or print STDERR Dumper( $res->[1] );
+ok( $policy{'Access-Control-Expose-Headers'} eq '*',
+    "CORS expose-headers '*' found" )
+  or print STDERR Dumper( $res->[1] );
+ok( $policy{'Access-Control-Max-Age'} eq '86400', "CORS max-age '86400' found" )
+  or print STDERR Dumper( $res->[1] );
+count(6);
+
 ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu' );
 ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
  or print STDERR Dumper( $res->[2]->[0] );
 count(2);

-my %policy = @{ $res->[1] };
+%policy = @{ $res->[1] };

 # CORS
 ok( $policy{'Access-Control-Allow-Origin'} eq '', "CORS origin '' found" )
--- a/lemonldap-ng-portal/t/test-lib.pm
+++ b/lemonldap-ng-portal/t/test-lib.pm
@ -784,6 +784,18 @@ sub _delete {
    $self->_get( $path, %args );
 }

+=head4 _options( $path, %args )
+
+Call C<_get()> with method set to OPTIONS.
+
+=cut
+
+sub _options {
+    my ( $self, $path, %args ) = @_;
+    $args{method} = 'OPTIONS';
+    $self->_get( $path, %args );
+}
+
 =head4 _put( $path, $body, %args )

 Call C<_post()> with method set to PUT