Break out workspace app cors handler

code-asher · code-asher · commit 4dfc69d6063a · 2023-05-31T14:36:25.000-08:00
This will make it easier to test.
diff --git a/coderd/httpmw/cors.go b/coderd/httpmw/cors.go
@@ -2,8 +2,12 @@ package httpmw
 
 import (
 	"net/http"
+	"net/url"
+	"regexp"
 
 	"github.com/go-chi/cors"
+
+	"github.com/coder/coder/coderd/httpapi"
 )
 
 //nolint:revive
@@ -25,3 +29,33 @@ func Cors(allowAll bool, origins ...string) func(next http.Handler) http.Handler
 		AllowCredentials: false,
 	})
 }
+
+func WorkspaceAppCors(regex *regexp.Regexp, app httpapi.ApplicationURL) func(next http.Handler) http.Handler {
+	return cors.Handler(cors.Options{
+		AllowOriginFunc: func(r *http.Request, rawOrigin string) bool {
+			origin, err := url.Parse(rawOrigin)
+			if rawOrigin == "" || origin.Host == "" || err != nil {
+				return false
+			}
+			subdomain, ok := httpapi.ExecuteHostnamePattern(regex, origin.Host)
+			if !ok {
+				return false
+			}
+			originApp, err := httpapi.ParseSubdomainAppURL(subdomain)
+			if err != nil {
+				return false
+			}
+			return ok && originApp.Username == app.Username
+		},
+		AllowedMethods: []string{
+			http.MethodHead,
+			http.MethodGet,
+			http.MethodPost,
+			http.MethodPut,
+			http.MethodPatch,
+			http.MethodDelete,
+		},
+		AllowedHeaders:   []string{"*"},
+		AllowCredentials: true,
+	})
+}
diff --git a/coderd/workspaceapps/proxy.go b/coderd/workspaceapps/proxy.go
@@ -13,7 +13,6 @@ import (
 	"sync"
 
 	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/cors"
 	"github.com/google/uuid"
 	"go.opentelemetry.io/otel/trace"
 	"nhooyr.io/websocket"
@@ -364,22 +363,7 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)
 
 			// Use the passed in app middlewares before checking authentication and
 			// passing to the proxy app.
-			mws := chi.Middlewares(append(middlewares, cors.Handler(cors.Options{
-				AllowOriginFunc: func(r *http.Request, origin string) bool {
-					originApp, ok := s.parseOrigin(origin)
-					return ok && originApp.Username == app.Username
-				},
-				AllowedMethods: []string{
-					http.MethodHead,
-					http.MethodGet,
-					http.MethodPost,
-					http.MethodPut,
-					http.MethodPatch,
-					http.MethodDelete,
-				},
-				AllowedHeaders:   []string{"*"},
-				AllowCredentials: true,
-			})))
+			mws := chi.Middlewares(append(middlewares, httpmw.WorkspaceAppCors(s.HostnameRegex, app)))
 			mws.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 				if !s.handleAPIKeySmuggling(rw, r, AccessMethodSubdomain) {
 					return
@@ -411,22 +395,6 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)
 	}
 }
 
-func (s *Server) parseOrigin(rawOrigin string) (httpapi.ApplicationURL, bool) {
-	origin, err := url.Parse(rawOrigin)
-	if rawOrigin == "" || origin.Host == "" || err != nil {
-		return httpapi.ApplicationURL{}, false
-	}
-	subdomain, ok := httpapi.ExecuteHostnamePattern(s.HostnameRegex, origin.Host)
-	if !ok {
-		return httpapi.ApplicationURL{}, false
-	}
-	app, err := httpapi.ParseSubdomainAppURL(subdomain)
-	if err != nil {
-		return httpapi.ApplicationURL{}, false
-	}
-	return app, true
-}
-
 // parseHostname will return if a given request is attempting to access a
 // workspace app via a subdomain. If it is, the hostname of the request is parsed
 // into an httpapi.ApplicationURL and true is returned. If the request is not
