Skip to content

Commit ed41edd

Browse files
code-ashercode-asher
committed
Simplify CORS handler with AllowOriginFunc
1 parent 28ec76b commit ed41edd

File tree

2 files changed

+16
-32
lines changed

2 files changed

+16
-32
lines changed

coderd/coderd.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -407,10 +407,7 @@ func New(options *Options) *API {
407407
//
408408
// Workspace apps do their own auth and CORS and must be BEFORE the auth
409409
// and CORS middleware.
410-
// REVIEW: Would it be worth creating httpmw.ExtractWorkspaceApp and using a
411-
// single CORS middleware?
412410
api.workspaceAppServer.HandleSubdomain(apiRateLimiter),
413-
// REVIEW: Is it OK that CORS come after the above middleware?
414411
cors,
415412
// Build-Version is helpful for debugging.
416413
func(next http.Handler) http.Handler {

coderd/workspaceapps/proxy.go

Lines changed: 16 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -362,37 +362,24 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)
362362
return
363363
}
364364

365-
// REVIEW: Like mentioned in coderd.go maybe we should extract the app
366-
// using middleware that way we can do this in a single top-level CORS
367-
// handler? Or just do the URL parsing twice.
368-
var corsmw func(next http.Handler) http.Handler
369-
origin := r.Header.Get("Origin")
370-
if originApp, ok := s.parseOrigin(origin); ok && originApp.Username == app.Username {
371-
corsmw = cors.Handler(cors.Options{
372-
AllowedOrigins: []string{origin},
373-
AllowedMethods: []string{
374-
http.MethodHead,
375-
http.MethodGet,
376-
http.MethodPost,
377-
http.MethodPut,
378-
http.MethodPatch,
379-
http.MethodDelete,
380-
},
381-
AllowedHeaders: []string{"*"},
382-
AllowCredentials: true,
383-
})
384-
} else {
385-
corsmw = cors.Handler(cors.Options{
386-
AllowedOrigins: []string{""}, // The middleware defaults to *.
387-
AllowedMethods: []string{},
388-
AllowedHeaders: []string{},
389-
AllowCredentials: false,
390-
})
391-
}
392-
393365
// Use the passed in app middlewares before checking authentication and
394366
// passing to the proxy app.
395-
mws := chi.Middlewares(append(middlewares, corsmw))
367+
mws := chi.Middlewares(append(middlewares, cors.Handler(cors.Options{
368+
AllowOriginFunc: func(r *http.Request, origin string) bool {
369+
originApp, ok := s.parseOrigin(origin)
370+
return ok && originApp.Username == app.Username
371+
},
372+
AllowedMethods: []string{
373+
http.MethodHead,
374+
http.MethodGet,
375+
http.MethodPost,
376+
http.MethodPut,
377+
http.MethodPatch,
378+
http.MethodDelete,
379+
},
380+
AllowedHeaders: []string{"*"},
381+
AllowCredentials: true,
382+
})))
396383
mws.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
397384
if !s.handleAPIKeySmuggling(rw, r, AccessMethodSubdomain) {
398385
return

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy