support cors via rails not nginx. #622

Gemfile

@@ -46,6 +46,7 @@ gem "mailgun-ruby", "~> 1.1", ">= 1.1.8"
 gem "premailer", "~> 1.11", ">= 1.11.1"
 gem "flipper", "~> 0.17.0"
 gem "flipper-active_support_cache_store"
+gem "rack-cors", "~> 1.0", require: "rack/cors"
 gem "strip_attributes", "~> 1.8"
 gem "slack-notifier", "~> 2.1"
 gem "mini_magick", "~> 4.8"

Gemfile.lock

@@ -366,7 +366,7 @@ GEM
     net-http-persistent (3.1.0)
       connection_pool (~> 2.2)
     netrc (0.11.0)
-    nio4r (2.5.2)
+    nio4r (2.5.3)
     nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
     oj (3.10.14)
@@ -393,6 +393,8 @@ GEM
     rack (2.2.3)
     rack-accept (0.4.5)
       rack (>= 0.4)
+    rack-cors (1.1.1)
+      rack (>= 2.0.0)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rack-utf8_sanitizer (1.7.0)
@@ -661,6 +663,7 @@ DEPENDENCIES
   oj_mimic_json (~> 1.0, >= 1.0.1)
   premailer (~> 1.11, >= 1.11.1)
   pwqgen.rb (~> 0.1.0)
+  rack-cors (~> 1.0)
   rack-utf8_sanitizer (~> 1.6)
   rails (~> 5.2.0)
   rake (~> 12.0)

app/controllers/graphql_controller.rb

@@ -16,12 +16,6 @@ def execute
     handle_error_in_development e
   end
 
-  def cors_preflight_check
-    if request.method == 'OPTIONS'
-      render text: '', content_type: 'text/plain'
-    end
-  end
-
   private
 
   # Handle form data, JSON body, or a blank value

config/initializers/cors.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# Be sure to restart your server when you modify this file.
+
+# Avoid CORS issues when API is called from the frontend app.
+# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin AJAX requests.
+
+# Read more: https://github.com/cyu/rack-cors
+
+Rails.application.config.middleware.insert_before 0, Rack::Cors, debug: true, logger: (-> { Rails.logger }) do
+  allow do
+    origins '*'
+
+    resource '*',
+      headers: :any,
+      expose: ["Authorization", "X-Credential-Username", "X-Anonymous-Consumer"],
+      methods: [:get, :post, :put, :patch, :delete, :options, :head]
+  end
+end

config/routes.rb

@@ -1,7 +1,9 @@
 Rails.application.routes.draw do
   post "/client-api/graphql", to: "graphql#execute"
   get "/client-api/graphql", to: "index#method_not_allowed"
-  match "/client-api/graphql" => "graphql#cors_preflight_check", via: :options
+
+  # global options responder -> makes sure OPTION request for CORS endpoints work
+  match '*path', via: [:options], to: lambda {|_| [204, { 'Content-Type' => 'text/plain' }]}
 
   # authentication
   post "token", to: "sessions#create_token"

vendor/docker/webapp.conf

@@ -15,46 +15,6 @@ server {
         return 301 https://support.datacite.org/docs/api;
     }
 
-    location / {
-        if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' "$http_origin";
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS';
-            add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization';
-            add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range';
-            #
-            # Tell client that this pre-flight info is valid for 20 days
-            #
-            add_header 'Access-Control-Max-Age' 1728000;
-            add_header 'Content-Type' 'text/plain; charset=utf-8';
-            add_header 'Content-Length' 0;
-            return 204;
-        }
-        if ($request_method = 'POST') {
-            add_header 'Access-Control-Allow-Origin' "$http_origin";
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS';
-            add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization';
-            add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range';
-        }
-        if ($request_method = 'PATCH') {
-            add_header 'Access-Control-Allow-Origin' "$http_origin";
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS';
-            add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization';
-            add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range';
-        }
-        if ($request_method = 'GET') {
-            add_header 'Access-Control-Allow-Origin' "$http_origin";
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS';
-            add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization';
-            add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range';
-        }
-        if ($request_method = 'DELETE') {
-            add_header 'Access-Control-Allow-Origin' "$http_origin";
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS';
-            add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization';
-            add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range';
-        }
-    }
-
     location /client-api/graphql {
         gzip            on;
         gzip_min_length 1000;