diff --git a/services/graph/pkg/config/defaults/defaultconfig.go b/services/graph/pkg/config/defaults/defaultconfig.go index fbe5b0cd7da..10871d42b41 100644 --- a/services/graph/pkg/config/defaults/defaultconfig.go +++ b/services/graph/pkg/config/defaults/defaultconfig.go @@ -33,7 +33,7 @@ func DefaultConfig() *config.Config { CORS: config.CORS{ AllowedOrigins: []string{"*"}, AllowedMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"}, - AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "Purge", "Restore"}, + AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id", "Purge", "Restore"}, AllowCredentials: true, }, }, diff --git a/services/ocs/pkg/config/defaults/defaultconfig.go b/services/ocs/pkg/config/defaults/defaultconfig.go index 5f66f75654b..79c15eb227c 100644 --- a/services/ocs/pkg/config/defaults/defaultconfig.go +++ b/services/ocs/pkg/config/defaults/defaultconfig.go @@ -31,7 +31,7 @@ func DefaultConfig() *config.Config { CORS: config.CORS{ AllowedOrigins: []string{"*"}, AllowedMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"}, - AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"}, + AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id"}, AllowCredentials: true, }, }, diff --git a/services/proxy/pkg/middleware/authentication.go b/services/proxy/pkg/middleware/authentication.go index 260161adbb3..e5d6765e539 100644 --- a/services/proxy/pkg/middleware/authentication.go +++ b/services/proxy/pkg/middleware/authentication.go @@ -52,7 +52,7 @@ func Authentication(auths []Authenticator, opts ...Option) func(next http.Handle return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ri := router.ContextRoutingInfo(r.Context()) - if isOIDCTokenAuth(r) || ri.IsRouteUnprotected() { + if isOIDCTokenAuth(r) || ri.IsRouteUnprotected() || r.Method == "OPTIONS" { // Either this is a request that does not need any authentication or // the authentication for this request is handled by the IdP. next.ServeHTTP(w, r) diff --git a/services/settings/pkg/config/defaults/defaultconfig.go b/services/settings/pkg/config/defaults/defaultconfig.go index 6790b074608..d5fd3ab5ed1 100644 --- a/services/settings/pkg/config/defaults/defaultconfig.go +++ b/services/settings/pkg/config/defaults/defaultconfig.go @@ -41,7 +41,7 @@ func DefaultConfig() *config.Config { CORS: config.CORS{ AllowedOrigins: []string{"*"}, AllowedMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"}, - AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"}, + AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id"}, AllowCredentials: true, }, }, diff --git a/services/userlog/pkg/config/defaults/defaultconfig.go b/services/userlog/pkg/config/defaults/defaultconfig.go index dfb412a1d56..1dfd6318caa 100644 --- a/services/userlog/pkg/config/defaults/defaultconfig.go +++ b/services/userlog/pkg/config/defaults/defaultconfig.go @@ -48,7 +48,7 @@ func DefaultConfig() *config.Config { CORS: config.CORS{ AllowedOrigins: []string{"*"}, AllowedMethods: []string{"GET"}, - AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"}, + AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id", "Ocs-Apirequest"}, AllowCredentials: true, }, }, diff --git a/services/web/pkg/config/defaults/defaultconfig.go b/services/web/pkg/config/defaults/defaultconfig.go index 7bc2b51207c..c2acd8f03a7 100644 --- a/services/web/pkg/config/defaults/defaultconfig.go +++ b/services/web/pkg/config/defaults/defaultconfig.go @@ -30,6 +30,51 @@ func DefaultConfig() *config.Config { Root: "/", Namespace: "com.owncloud.web", CacheTTL: 604800, // 7 days + + CORS: config.CORS{ + AllowedOrigins: []string{"*"}, + AllowedMethods: []string{ + "OPTIONS", + "HEAD", + "GET", + "PUT", + "PATCH", + "POST", + "DELETE", + "MKCOL", + "PROPFIND", + "PROPPATCH", + "MOVE", + "COPY", + "REPORT", + "SEARCH", + }, + AllowedHeaders: []string{ + "Origin", + "Accept", + "Content-Type", + "Depth", + "Authorization", + "Ocs-Apirequest", + "If-None-Match", + "If-Match", + "Destination", + "Overwrite", + "X-Request-Id", + "X-Requested-With", + "Tus-Resumable", + "Tus-Checksum-Algorithm", + "Upload-Concat", + "Upload-Length", + "Upload-Metadata", + "Upload-Defer-Length", + "Upload-Expires", + "Upload-Checksum", + "Upload-Offset", + "X-HTTP-Method-Override", + }, + AllowCredentials: true, + }, }, Service: config.Service{ Name: "web", diff --git a/services/web/pkg/config/http.go b/services/web/pkg/config/http.go index a827ba5be27..1992c8d39d7 100644 --- a/services/web/pkg/config/http.go +++ b/services/web/pkg/config/http.go @@ -9,4 +9,13 @@ type HTTP struct { Namespace string `yaml:"-"` Root string `yaml:"root" env:"WEB_HTTP_ROOT" desc:"Subdirectory that serves as the root for this HTTP service."` CacheTTL int `yaml:"cache_ttl" env:"WEB_CACHE_TTL" desc:"Cache policy in seconds for ownCloud Web assets."` + CORS CORS `yaml:"cors"` +} + +// CORS defines the available cors configuration. +type CORS struct { + AllowedOrigins []string `yaml:"allow_origins" env:"OCIS_CORS_ALLOW_ORIGINS;WEB_CORS_ALLOW_ORIGINS" desc:"A comma-separated list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"` + AllowedMethods []string `yaml:"allow_methods" env:"OCIS_CORS_ALLOW_METHODS;WEB_CORS_ALLOW_METHODS" desc:"A comma-separated list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method"` + AllowedHeaders []string `yaml:"allow_headers" env:"OCIS_CORS_ALLOW_HEADERS;WEB_CORS_ALLOW_HEADERS" desc:"A comma-separated list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers."` + AllowCredentials bool `yaml:"allow_credentials" env:"OCIS_CORS_ALLOW_CREDENTIALS;WEB_CORS_ALLOW_CREDENTIALS" desc:"Allow credentials for CORS. See following chapter for more details: *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials."` } diff --git a/services/web/pkg/server/http/server.go b/services/web/pkg/server/http/server.go index dbe283029de..564afabbd33 100644 --- a/services/web/pkg/server/http/server.go +++ b/services/web/pkg/server/http/server.go @@ -5,6 +5,7 @@ import ( "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool" chimiddleware "github.com/go-chi/chi/v5/middleware" + "github.com/owncloud/ocis/v2/ocis-pkg/cors" "github.com/owncloud/ocis/v2/ocis-pkg/middleware" "github.com/owncloud/ocis/v2/ocis-pkg/service/http" "github.com/owncloud/ocis/v2/ocis-pkg/version" @@ -56,6 +57,13 @@ func Server(opts ...Option) (http.Service, error) { middleware.Logger( options.Logger, ), + middleware.Cors( + cors.Logger(options.Logger), + cors.AllowedOrigins(options.Config.HTTP.CORS.AllowedOrigins), + cors.AllowedMethods(options.Config.HTTP.CORS.AllowedMethods), + cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders), + cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials), + ), ), ) diff --git a/services/webdav/pkg/config/defaults/defaultconfig.go b/services/webdav/pkg/config/defaults/defaultconfig.go index 3b8350436b7..efa0b4287b5 100644 --- a/services/webdav/pkg/config/defaults/defaultconfig.go +++ b/services/webdav/pkg/config/defaults/defaultconfig.go @@ -32,7 +32,7 @@ func DefaultConfig() *config.Config { CORS: config.CORS{ AllowedOrigins: []string{"*"}, AllowedMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"}, - AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"}, + AllowedHeaders: []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id"}, AllowCredentials: true, }, },