Allow cross-origin requests between users' own apps

code-asher · code-asher · commit 28ec76b98b28 · 2023-05-25T15:19:59.000-08:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -394,9 +394,7 @@ func New(options *Options) *API {
 	derpHandler := derphttp.Handler(api.DERPServer)
 	derpHandler, api.derpCloseFunc = tailnet.WithWebsocketSupport(api.DERPServer, derpHandler)
 	cors := httpmw.Cors(options.DeploymentValues.Dangerous.AllowAllCors.Value())
-
 	r.Use(
-		cors,
 		httpmw.Recover(api.Logger),
 		tracing.StatusWriterMiddleware,
 		tracing.Middleware(api.TracerProvider),
@@ -407,9 +405,13 @@ func New(options *Options) *API {
 		// SubdomainAppMW checks if the first subdomain is a valid app URL. If
 		// it is, it will serve that application.
 		//
-		// Workspace apps do their own auth and must be BEFORE the auth
-		// middleware.
+		// Workspace apps do their own auth and CORS and must be BEFORE the auth
+		// and CORS middleware.
+		// REVIEW: Would it be worth creating httpmw.ExtractWorkspaceApp and using a
+		// single CORS middleware?
 		api.workspaceAppServer.HandleSubdomain(apiRateLimiter),
+		// REVIEW: Is it OK that CORS come after the above middleware?
+		cors,
 		// Build-Version is helpful for debugging.
 		func(next http.Handler) http.Handler {
 			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
diff --git a/coderd/workspaceapps/proxy.go b/coderd/workspaceapps/proxy.go
@@ -13,6 +13,7 @@ import (
 	"sync"
 
 	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/cors"
 	"github.com/google/uuid"
 	"go.opentelemetry.io/otel/trace"
 	"nhooyr.io/websocket"
@@ -361,41 +362,84 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)
 				return
 			}
 
-			if !s.handleAPIKeySmuggling(rw, r, AccessMethodSubdomain) {
-				return
-			}
-
-			token, ok := ResolveRequest(rw, r, ResolveRequestOptions{
-				Logger:              s.Logger,
-				SignedTokenProvider: s.SignedTokenProvider,
-				DashboardURL:        s.DashboardURL,
-				PathAppBaseURL:      s.AccessURL,
-				AppHostname:         s.Hostname,
-				AppRequest: Request{
-					AccessMethod:      AccessMethodSubdomain,
-					BasePath:          "/",
-					UsernameOrID:      app.Username,
-					WorkspaceNameOrID: app.WorkspaceName,
-					AgentNameOrID:     app.AgentName,
-					AppSlugOrPort:     app.AppSlugOrPort,
-				},
-				AppPath:  r.URL.Path,
-				AppQuery: r.URL.RawQuery,
-			})
-			if !ok {
-				return
+			// REVIEW: Like mentioned in coderd.go maybe we should extract the app
+			// using middleware that way we can do this in a single top-level CORS
+			// handler?  Or just do the URL parsing twice.
+			var corsmw func(next http.Handler) http.Handler
+			origin := r.Header.Get("Origin")
+			if originApp, ok := s.parseOrigin(origin); ok && originApp.Username == app.Username {
+				corsmw = cors.Handler(cors.Options{
+					AllowedOrigins: []string{origin},
+					AllowedMethods: []string{
+						http.MethodHead,
+						http.MethodGet,
+						http.MethodPost,
+						http.MethodPut,
+						http.MethodPatch,
+						http.MethodDelete,
+					},
+					AllowedHeaders:   []string{"*"},
+					AllowCredentials: true,
+				})
+			} else {
+				corsmw = cors.Handler(cors.Options{
+					AllowedOrigins:   []string{""}, // The middleware defaults to *.
+					AllowedMethods:   []string{},
+					AllowedHeaders:   []string{},
+					AllowCredentials: false,
+				})
 			}
 
-			// Use the passed in app middlewares before passing to the proxy
-			// app.
-			mws := chi.Middlewares(middlewares)
+			// Use the passed in app middlewares before checking authentication and
+			// passing to the proxy app.
+			mws := chi.Middlewares(append(middlewares, corsmw))
 			mws.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+				if !s.handleAPIKeySmuggling(rw, r, AccessMethodSubdomain) {
+					return
+				}
+
+				token, ok := ResolveRequest(rw, r, ResolveRequestOptions{
+					Logger:              s.Logger,
+					SignedTokenProvider: s.SignedTokenProvider,
+					DashboardURL:        s.DashboardURL,
+					PathAppBaseURL:      s.AccessURL,
+					AppHostname:         s.Hostname,
+					AppRequest: Request{
+						AccessMethod:      AccessMethodSubdomain,
+						BasePath:          "/",
+						UsernameOrID:      app.Username,
+						WorkspaceNameOrID: app.WorkspaceName,
+						AgentNameOrID:     app.AgentName,
+						AppSlugOrPort:     app.AppSlugOrPort,
+					},
+					AppPath:  r.URL.Path,
+					AppQuery: r.URL.RawQuery,
+				})
+				if !ok {
+					return
+				}
 				s.proxyWorkspaceApp(rw, r, *token, r.URL.Path)
 			})).ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}
 }
 
+func (s *Server) parseOrigin(rawOrigin string) (httpapi.ApplicationURL, bool) {
+	origin, err := url.Parse(rawOrigin)
+	if rawOrigin == "" || origin.Host == "" || err != nil {
+		return httpapi.ApplicationURL{}, false
+	}
+	subdomain, ok := httpapi.ExecuteHostnamePattern(s.HostnameRegex, origin.Host)
+	if !ok {
+		return httpapi.ApplicationURL{}, false
+	}
+	app, err := httpapi.ParseSubdomainAppURL(subdomain)
+	if err != nil {
+		return httpapi.ApplicationURL{}, false
+	}
+	return app, true
+}
+
 // parseHostname will return if a given request is attempting to access a
 // workspace app via a subdomain. If it is, the hostname of the request is parsed
 // into an httpapi.ApplicationURL and true is returned. If the request is not
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -1170,7 +1170,7 @@ when required by your organization's security policy.`,
 		// ☢️ Dangerous settings
 		{
 			Name:        "DANGEROUS: Allow all CORs requests",
-			Description: "For security reasons, CORs requests are blocked. If external requests are required, setting this to true will set all cors headers as '*'. This should never be used in production.",
+			Description: "For security reasons, CORs requests are blocked except between workspace apps owned by the same user. If external requests are required, setting this to true will set all cors headers as '*'. This should never be used in production.",
 			Flag:        "dangerous-allow-cors-requests",
 			Env:         "CODER_DANGEROUS_ALLOW_CORS_REQUESTS",
 			Hidden:      true, // Hidden, should only be used by yarn dev server

Original file line number	Diff line number	Diff line change
@@ -1170,7 +1170,7 @@ when required by your organization's security policy.`,
`1170`	`1170`	`// ☢️ Dangerous settings`
`1171`	`1171`	`{`
`1172`	`1172`	`Name: "DANGEROUS: Allow all CORs requests",`
`1173`		`- Description: "For security reasons, CORs requests are blocked. If external requests are required, setting this to true will set all cors headers as '*'. This should never be used in production.",`
	`1173`	`+ Description: "For security reasons, CORs requests are blocked except between workspace apps owned by the same user. If external requests are required, setting this to true will set all cors headers as '*'. This should never be used in production.",`
`1174`	`1174`	`Flag: "dangerous-allow-cors-requests",`
`1175`	`1175`	`Env: "CODER_DANGEROUS_ALLOW_CORS_REQUESTS",`
`1176`	`1176`	`Hidden: true, // Hidden, should only be used by yarn dev server`