From 269caf650cc5a3626d3ea06f46112664ab41d5c4 Mon Sep 17 00:00:00 2001 From: Peter van Vliet Date: Sun, 12 Feb 2023 11:08:33 +0100 Subject: [PATCH 1/2] #132: Added support for setting the allowed CORS headers --- documentation/05_advanced_features.md | 10 ++++++++-- .../src/runtime/middleware/CorsMiddleware.ts | 15 +++++++++------ 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/documentation/05_advanced_features.md b/documentation/05_advanced_features.md index 8fcebb20..4bca2ef2 100644 --- a/documentation/05_advanced_features.md +++ b/documentation/05_advanced_features.md @@ -291,12 +291,18 @@ const moduleImporter = async (specifier: string) => import(specifier); startServer(moduleImporter).then(server => { - server.addMiddleware(new CorsMiddleware('https://jitar.dev')); + //server.addMiddleware(new CorsMiddleware()); // allow all origins and headers + //server.addMiddleware(new CorsMiddleware('https://jitar.dev')); // allow specific origin and all headers + server.addMiddleware(new CorsMiddleware('https://jitar.dev', 'Content-Type, Authorization')); // allow specific origin and headers }); ``` +The first argument sets the [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header. This header only supports a single origin or a wildcard. The latter is the default when no origin is provided. + +The second argument sets the [Access-Control-Allow-Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers) header. This header supports a comma separated list of headers or a wildcard. The latter is the default when no headers are provided. + {:.alert-info} -The CORS middleware only supports a single origin or a wildcard. The latter is the default when no origin is provided. +The [Access-Control-Allow-Methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods) header is always set to GET and POST because these are by default supported by the [RPC API](#rpc). --- diff --git a/packages/jitar/src/runtime/middleware/CorsMiddleware.ts b/packages/jitar/src/runtime/middleware/CorsMiddleware.ts index 7d23cb09..87753b26 100644 --- a/packages/jitar/src/runtime/middleware/CorsMiddleware.ts +++ b/packages/jitar/src/runtime/middleware/CorsMiddleware.ts @@ -5,12 +5,14 @@ import NextHandler from '../types/NextHandler.js'; export default class CorsMiddleware implements Middleware { - #origin: string; - #methods = ['GET', 'POST']; + #allowOrigin: string; + #allowMethods = 'GET, POST'; + #allowHeaders: string; - constructor(origin = '*') + constructor(origin = '*', headers = '*') { - this.#origin = origin; + this.#allowOrigin = origin; + this.#allowHeaders = headers; } async handle(fqn: string, version: Version, args: Map, headers: Map, next: NextHandler): Promise @@ -24,7 +26,8 @@ export default class CorsMiddleware implements Middleware #setHeaders(headers: Map): void { - headers.set('Access-Control-Allow-Origin', this.#origin); - headers.set('Access-Control-Allow-Methods', this.#methods.join(', ')); + headers.set('Access-Control-Allow-Origin', this.#allowOrigin); + headers.set('Access-Control-Allow-Methods', this.#allowMethods); + headers.set('Access-Control-Allow-Headers', this.#allowHeaders); } } From 18d6a4a40daf79ddc4c520b99213d4f56368b8c9 Mon Sep 17 00:00:00 2001 From: Peter van Vliet Date: Sun, 12 Feb 2023 13:14:04 +0100 Subject: [PATCH 2/2] #132: Added unsupported CORS preflight requests warning --- documentation/05_advanced_features.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/documentation/05_advanced_features.md b/documentation/05_advanced_features.md index 4bca2ef2..3868fd9d 100644 --- a/documentation/05_advanced_features.md +++ b/documentation/05_advanced_features.md @@ -304,6 +304,9 @@ The second argument sets the [Access-Control-Allow-Headers](https://developer.mo {:.alert-info} The [Access-Control-Allow-Methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods) header is always set to GET and POST because these are by default supported by the [RPC API](#rpc). +{:.alert-warning} +The [RPC API](#rpc) does not provide custom headers set by middleware in OPTIONS requests. This means that CORS preflight requests are not supported yet. Don't hesitate to create a [feature request](https://github.com/MaskingTechnology/jitar/issues/new/choose) if you need it. This helps up prioritize our time. + --- {:.previous-chapter}