Skip to content

Commit

Permalink
Merge pull request #2451 from Mashape/fix/cors-proper-acac-header
Browse files Browse the repository at this point in the history
fix(cors) proper handling of the ACAC header
  • Loading branch information
thibaultcha authored Apr 25, 2017
2 parents 2cf1ebf + 96741a6 commit ca1c6c5
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 10 deletions.
16 changes: 12 additions & 4 deletions kong/plugins/cors/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,19 @@ end


local function configure_credentials(ngx, conf)
if ngx.ctx.cors_allow_all then
ngx.header["Access-Control-Allow-Credentials"] = "false"
if conf.credentials then
if not ngx.ctx.cors_allow_all then
ngx.header["Access-Control-Allow-Credentials"] = "true"
return
end

elseif conf.credentials then
ngx.header["Access-Control-Allow-Credentials"] = "true"
-- Access-Control-Allow-Origin is '*', must change it because ACAC cannot
-- be 'true' if ACAO is '*'.
local req_origin = ngx.var.http_origin
if req_origin then
ngx.header["Access-Control-Allow-Origin"] = req_origin
ngx.header["Access-Control-Allow-Credentials"] = "true"
end
end
end

Expand Down
66 changes: 60 additions & 6 deletions spec/03-plugins/14-cors/01-access_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ describe("Plugin: cors (access)", function()
hosts = { "cors6.com" },
upstream_url = "http://mockbin.com"
})
local api7 = assert(helpers.dao.apis:insert {
name = "api-7",
hosts = { "cors7.com" },
upstream_url = "http://mockbin.com"
})

assert(helpers.dao.plugins:insert {
name = "cors",
Expand Down Expand Up @@ -80,7 +85,8 @@ describe("Plugin: cors (access)", function()
name = "cors",
api_id = api5.id,
config = {
origins = { "*" }
origins = { "*" },
credentials = true
}
})

Expand All @@ -97,6 +103,15 @@ describe("Plugin: cors (access)", function()
}
})

assert(helpers.dao.plugins:insert {
name = "cors",
api_id = api7.id,
config = {
origins = { "*" },
credentials = false
}
})

assert(helpers.start_kong())
client = helpers.proxy_client()
end)
Expand All @@ -119,7 +134,7 @@ describe("Plugin: cors (access)", function()
assert.equal("*", res.headers["Access-Control-Allow-Origin"])
assert.is_nil(res.headers["Access-Control-Allow-Headers"])
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
end)

Expand All @@ -135,7 +150,7 @@ describe("Plugin: cors (access)", function()
assert.equal("*", res.headers["Access-Control-Allow-Origin"])
assert.is_nil(res.headers["Access-Control-Allow-Headers"])
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
end)

Expand Down Expand Up @@ -196,7 +211,7 @@ describe("Plugin: cors (access)", function()
assert.is_nil(res.headers["Access-Control-Allow-Methods"])
assert.is_nil(res.headers["Access-Control-Allow-Headers"])
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
end)

Expand Down Expand Up @@ -229,7 +244,7 @@ describe("Plugin: cors (access)", function()
assert.is_nil(res.headers["Access-Control-Allow-Methods"])
assert.is_nil(res.headers["Access-Control-Allow-Headers"])
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
end)

Expand All @@ -245,7 +260,7 @@ describe("Plugin: cors (access)", function()
assert.is_nil(res.headers["Access-Control-Allow-Methods"])
assert.is_nil(res.headers["Access-Control-Allow-Headers"])
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.equal("false", res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
end)

Expand All @@ -272,5 +287,44 @@ describe("Plugin: cors (access)", function()
assert.res_status(200, res)
assert.is_nil(res.headers["Access-Control-Allow-Origin"])
end)

it("responds with the requested Origin when config.credentials=true", function()
local res = assert(client:send {
method = "GET",
headers = {
["Host"] = "cors5.com",
["Origin"] = "http://www.example.net"
}
})
assert.res_status(200, res)
assert.equals("http://www.example.net", res.headers["Access-Control-Allow-Origin"])
assert.equals("true", res.headers["Access-Control-Allow-Credentials"])
end)

it("responds with the requested Origin (including port) when config.credentials=true", function()
local res = assert(client:send {
method = "GET",
headers = {
["Host"] = "cors5.com",
["Origin"] = "http://www.example.net:3000"
}
})
assert.res_status(200, res)
assert.equals("http://www.example.net:3000", res.headers["Access-Control-Allow-Origin"])
assert.equals("true", res.headers["Access-Control-Allow-Credentials"])
end)

it("responds with * when config.credentials=false", function()
local res = assert(client:send {
method = "GET",
headers = {
["Host"] = "cors7.com",
["Origin"] = "http://www.example.net"
}
})
assert.res_status(200, res)
assert.equals("*", res.headers["Access-Control-Allow-Origin"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
end)
end)
end)

0 comments on commit ca1c6c5

Please sign in to comment.