From d4ae80109caec00b837d2bc65e0fb3f58e734091 Mon Sep 17 00:00:00 2001 From: Martin Fenner Date: Wed, 9 Sep 2020 06:27:57 +0200 Subject: [PATCH] support cors via rails not nginx. #622 --- Gemfile | 1 + Gemfile.lock | 5 +++- app/controllers/graphql_controller.rb | 6 ---- config/initializers/cors.rb | 19 +++++++++++++ config/routes.rb | 4 ++- vendor/docker/webapp.conf | 40 --------------------------- 6 files changed, 27 insertions(+), 48 deletions(-) create mode 100644 config/initializers/cors.rb diff --git a/Gemfile b/Gemfile index 8b047667a..54c7acf21 100644 --- a/Gemfile +++ b/Gemfile @@ -46,6 +46,7 @@ gem "mailgun-ruby", "~> 1.1", ">= 1.1.8" gem "premailer", "~> 1.11", ">= 1.11.1" gem "flipper", "~> 0.17.0" gem "flipper-active_support_cache_store" +gem "rack-cors", "~> 1.0", require: "rack/cors" gem "strip_attributes", "~> 1.8" gem "slack-notifier", "~> 2.1" gem "mini_magick", "~> 4.8" diff --git a/Gemfile.lock b/Gemfile.lock index 32388fd88..4d46ba601 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -366,7 +366,7 @@ GEM net-http-persistent (3.1.0) connection_pool (~> 2.2) netrc (0.11.0) - nio4r (2.5.2) + nio4r (2.5.3) nokogiri (1.10.10) mini_portile2 (~> 2.4.0) oj (3.10.14) @@ -393,6 +393,8 @@ GEM rack (2.2.3) rack-accept (0.4.5) rack (>= 0.4) + rack-cors (1.1.1) + rack (>= 2.0.0) rack-test (1.1.0) rack (>= 1.0, < 3) rack-utf8_sanitizer (1.7.0) @@ -661,6 +663,7 @@ DEPENDENCIES oj_mimic_json (~> 1.0, >= 1.0.1) premailer (~> 1.11, >= 1.11.1) pwqgen.rb (~> 0.1.0) + rack-cors (~> 1.0) rack-utf8_sanitizer (~> 1.6) rails (~> 5.2.0) rake (~> 12.0) diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index 93588237a..bd8c69655 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -16,12 +16,6 @@ def execute handle_error_in_development e end - def cors_preflight_check - if request.method == 'OPTIONS' - render text: '', content_type: 'text/plain' - end - end - private # Handle form data, JSON body, or a blank value diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb new file mode 100644 index 000000000..9cd525f81 --- /dev/null +++ b/config/initializers/cors.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +# Be sure to restart your server when you modify this file. + +# Avoid CORS issues when API is called from the frontend app. +# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin AJAX requests. + +# Read more: https://github.com/cyu/rack-cors + +Rails.application.config.middleware.insert_before 0, Rack::Cors, debug: true, logger: (-> { Rails.logger }) do + allow do + origins '*' + + resource '*', + headers: :any, + expose: ["Authorization", "X-Credential-Username", "X-Anonymous-Consumer"], + methods: [:get, :post, :put, :patch, :delete, :options, :head] + end +end diff --git a/config/routes.rb b/config/routes.rb index a885d63b8..7b9bf9a53 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,7 +1,9 @@ Rails.application.routes.draw do post "/client-api/graphql", to: "graphql#execute" get "/client-api/graphql", to: "index#method_not_allowed" - match "/client-api/graphql" => "graphql#cors_preflight_check", via: :options + + # global options responder -> makes sure OPTION request for CORS endpoints work + match '*path', via: [:options], to: lambda {|_| [204, { 'Content-Type' => 'text/plain' }]} # authentication post "token", to: "sessions#create_token" diff --git a/vendor/docker/webapp.conf b/vendor/docker/webapp.conf index 6d74a9246..4cd293db0 100644 --- a/vendor/docker/webapp.conf +++ b/vendor/docker/webapp.conf @@ -15,46 +15,6 @@ server { return 301 https://support.datacite.org/docs/api; } - location / { - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' "$http_origin"; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization'; - add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range'; - # - # Tell client that this pre-flight info is valid for 20 days - # - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - if ($request_method = 'POST') { - add_header 'Access-Control-Allow-Origin' "$http_origin"; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization'; - add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range'; - } - if ($request_method = 'PATCH') { - add_header 'Access-Control-Allow-Origin' "$http_origin"; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization'; - add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range'; - } - if ($request_method = 'GET') { - add_header 'Access-Control-Allow-Origin' "$http_origin"; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization'; - add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range'; - } - if ($request_method = 'DELETE') { - add_header 'Access-Control-Allow-Origin' "$http_origin"; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, DELETE, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization'; - add_header 'Access-Control-Expose-Headers:' 'Content-Length,Content-Range'; - } - } - location /client-api/graphql { gzip on; gzip_min_length 1000;