feat(cors): Added cross origin support #221
Conversation
cmd/optimizely/main_test.go
Outdated
| @@ -94,6 +94,15 @@ func assertAPIAuth(t *testing.T, actual config.ServiceAuthConfig) { | |||
| assert.Equal(t, 25*time.Second, actual.JwksUpdateInterval) | |||
| } | |||
|
|
|||
| func assertAPICORS(t *testing.T, actual config.CORSConfig) { | |||
| assert.Equal(t, []string{"http://test.com"}, actual.AllowedOrigins) | |||
There was a problem hiding this comment.
add one more domain.
Codecov Report
@@ Coverage Diff @@
## master #221 +/- ##
==========================================
+ Coverage 82.38% 82.55% +0.17%
==========================================
Files 27 27
Lines 1243 1261 +18
==========================================
+ Hits 1024 1041 +17
- Misses 164 165 +1
Partials 55 55
Continue to review full report at Codecov.
|
pkg/routers/api_test.go
Outdated
| @@ -66,6 +78,17 @@ var testAuthMiddleware = func(next http.Handler) http.Handler { | |||
| return http.HandlerFunc(fn) | |||
| } | |||
|
|
|||
| var testCorsHandler = cors.Handler( | |||
There was a problem hiding this comment.
Looks like we're testing the cors.Handler more than we're testing api.go. I think what we really need to test is that some handler was properly added where appropriate in the request path.
There was a problem hiding this comment.
@mikecdavis handler is added for all requests. The only way to verify is to check things are coming back in the response or not.
Please suggest if you want unit tests other than this approach.
config/config.go
Outdated
| } | ||
|
|
||
| // ToCorsOptions converts CORSConfig to cors middleware options | ||
| func (c *CORSConfig) ToCorsOptions() cors.Options { |
There was a problem hiding this comment.
Nit, but I'd prefer we didn't add this here as it feels like we're leaking a dependency. I think having a method in api.go would be a cleaner abstraction.
func CreateCorsHandler(c conf.CORSConfig) func(next http.Handler) http.Handler {
options := cors.Options{
AllowedOrigins: c.AllowedOrigins,
AllowedMethods: c.AllowedMethods,
AllowedHeaders: c.AllowedHeaders,
ExposedHeaders: c.ExposedHeaders,
AllowCredentials: c.AllowedCredentials,
MaxAge: c.MaxAge,
}
return cors.Handler(options)
}
config/config.go
Outdated
| // If allowedOrigins is nil or empty, value is set to ["*"]. | ||
| AllowedOrigins: nil, |
There was a problem hiding this comment.
Looks like this is defaulting to wide-open CORS support. We need to default to disabled then enable only if explicitly configured.
There was a problem hiding this comment.
agree with this comment
There was a problem hiding this comment.
Discussed offline, it's OK to comment it out and give an idea to the user, CORS is not enabled. It will work as expected without cors before implementing it how it was working.
|
@msohailhussain @mikecdavis I suggest this setting be used in the Notifications handler, which is currently hard-coded to |
config.yaml
Outdated
| ## | ||
| ## admin service configuration | ||
| ## | ||
| admin: | ||
| ## http listener port | ||
| port: "8088" | ||
|
|
||
There was a problem hiding this comment.
remove this line.
|
#221 (comment) |
config/config.go
Outdated
| // If AllowedOrigins is nil or empty, value is set to ["*"]. | ||
| AllowedOrigins: nil, | ||
| // If AllowedMethods is nil or empty, value is set to (HEAD, GET and POST). | ||
| AllowedMethods: []string{"HEAD", "GET", "PUT", "POST", "DELETE"}, |
There was a problem hiding this comment.
Might as well default to nil or empty here rather than to extend the default.
There was a problem hiding this comment.
Sure, will do.
Summary
TestPlan
Issues
No Issues