87 lines
2.5 KiB
Ruby
87 lines
2.5 KiB
Ruby
module Middleware
|
|
class SanastoCors
|
|
ALLOWED_APP_ID = ENV.fetch("SANASTO_APP_ID", "app.sanasto").freeze
|
|
APP_ID_HEADER = "HTTP_X_SANASTO_APP"
|
|
|
|
def initialize(app)
|
|
@app = app
|
|
end
|
|
|
|
def call(env)
|
|
if allow_cors_for?(env)
|
|
if env["REQUEST_METHOD"] == "OPTIONS"
|
|
return preflight_response(env["HTTP_ORIGIN"], allowed_request_headers(env))
|
|
end
|
|
end
|
|
|
|
status, headers, body = @app.call(env)
|
|
if allow_cors_for?(env)
|
|
apply_cors_headers(headers, env["HTTP_ORIGIN"])
|
|
end
|
|
[ status, headers, body ]
|
|
end
|
|
|
|
private
|
|
|
|
def allow_cors_for?(env)
|
|
origin = env["HTTP_ORIGIN"].to_s
|
|
return false if origin.empty?
|
|
|
|
if env["REQUEST_METHOD"] == "OPTIONS"
|
|
return preflight_includes_app_id_header?(env)
|
|
end
|
|
|
|
app_id = env[APP_ID_HEADER].to_s
|
|
return false if app_id.empty?
|
|
|
|
app_id == ALLOWED_APP_ID
|
|
end
|
|
|
|
def preflight_includes_app_id_header?(env)
|
|
access_control_headers = env["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"].to_s
|
|
return false if access_control_headers.empty?
|
|
|
|
access_control_headers
|
|
.split(",")
|
|
.map { |header_name| header_name.strip.downcase }
|
|
.include?("x-sanasto-app")
|
|
end
|
|
|
|
def allowed_request_headers(env)
|
|
access_control_headers = env["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"].to_s
|
|
return default_allowed_headers if access_control_headers.empty?
|
|
|
|
sanitized = access_control_headers
|
|
.split(",")
|
|
.map { |header_name| header_name.strip }
|
|
.reject(&:empty?)
|
|
.join(", ")
|
|
|
|
sanitized.empty? ? default_allowed_headers : sanitized
|
|
end
|
|
|
|
def preflight_response(origin, allowed_headers)
|
|
headers = {}
|
|
apply_cors_headers(headers, origin, allowed_headers)
|
|
headers["Access-Control-Max-Age"] = "86400"
|
|
headers["Vary"] = [
|
|
headers["Vary"],
|
|
"Access-Control-Request-Headers",
|
|
"Access-Control-Request-Method"
|
|
].compact.join(", ")
|
|
[ 204, headers, [] ]
|
|
end
|
|
|
|
def apply_cors_headers(headers, origin, allowed_headers = default_allowed_headers)
|
|
headers["Access-Control-Allow-Origin"] = origin
|
|
headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
|
|
headers["Access-Control-Allow-Headers"] = allowed_headers
|
|
headers["Vary"] = [ headers["Vary"], "Origin, X-Sanasto-App" ].compact.join(", ")
|
|
end
|
|
|
|
def default_allowed_headers
|
|
"Origin, Content-Type, Accept, Authorization, X-Sanasto-App"
|
|
end
|
|
end
|
|
end
|