Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cors should use pre-matching request check #11097

Open
wants to merge 1 commit into
base: 4.7.x
Choose a base branch
from
Open

Cors should use pre-matching request check #11097

wants to merge 1 commit into from

Conversation

dstepanov
Copy link
Contributor

No description provided.

dstepanov
dstepanov commented Aug 19, 2024
View reviewed changes
http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java
return Optional.of(HttpStatus.FORBIDDEN);
if (hasAllowedHeaders(request, config)) {
List<UriRouteMatch<Object, Object>> anyUriRoutes = router.findAny(request);
if (anyUriRoutes.isEmpty()) {
Copy link
Contributor Author

@dstepanov dstepanov Aug 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is how it worked before, but I think that's not correct. methodToMatchOptional is OPTIONS for preflight check and there is no such method in mocked tests

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

methodToMatchOptional can be not OPTIONS if there's a Access-Control-Request-Method header

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldt'n we fail OPTIONS call if there is no route present under that path?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, in that case the preflight should return a good response and the actual cors request should return the 404. This will allow the cors client to see that the route is missing. Otherwise it will just get a permission error

@graemerocher
Copy link
Contributor

seems to be failing?

dstepanov
dstepanov commented Aug 20, 2024
View reviewed changes
http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/CorsFilterSpec.groovy

then:
HttpStatus.OK == response.status()
HttpStatus.FORBIDDEN == response.status()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to rewite the mocked test. This is not passing anymore, the mock didn't include the proper origin mapping so the request filter was skipped. Please check how it supposted to work @yawkat @sdelamo

@sdelamo sdelamo added this to the 4.7.0 milestone Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yawkat yawkat yawkat approved these changes

@graemerocher graemerocher Awaiting requested review from graemerocher

@sdelamo sdelamo Awaiting requested review from sdelamo

Assignees
No one assigned
Labels
None yet
Projects
4.7.0 Release
Status: No status
Milestone
4.7.0
Development

Successfully merging this pull request may close these issues.
4 participants
@dstepanov @graemerocher @yawkat @sdelamo