authorize: allow CORS preflight requests (#672)

* proxy: implement preserve host header option * authorize: allow CORS preflight requests
2025-08-04 01:09:36 +02:00 · 2020-05-08 15:56:43 -06:00 · 2020-05-08 15:56:43 -06:00 · 98d2f194a0
commit 98d2f194a0
parent d92ee8d2a0
6 changed files with 42 additions and 85 deletions
--- a/internal/middleware/cors.go
+++ b/internal/middleware/cors.go
@ -1,26 +0,0 @@
-package middleware
-
-import (
-	"net/http"
-
-	"github.com/pomerium/pomerium/internal/telemetry/trace"
-)
-
-// CorsBypass is middleware that takes a target handler as a paramater,
-// if the request is determined to be a CORS preflight request, that handler
-// is called instead of the normal handler chain.
-func CorsBypass(target http.Handler) func(next http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			ctx, span := trace.StartSpan(r.Context(), "middleware.CorsBypass")
-			defer span.End()
-			if r.Method == http.MethodOptions &&
-				r.Header.Get("Access-Control-Request-Method") != "" &&
-				r.Header.Get("Origin") != "" {
-				target.ServeHTTP(w, r.WithContext(ctx))
-				return
-			}
-			next.ServeHTTP(w, r.WithContext(ctx))
-		})
-	}
-}
--- a/internal/middleware/cors_test.go
+++ b/internal/middleware/cors_test.go
@ -1,56 +0,0 @@
-package middleware
-
-import (
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-)
-
-func someOtherMiddleware(s string) func(next http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Some-Other-Middleware", s)
-			next.ServeHTTP(w, r)
-		})
-	}
-}
-func TestCorsBypass(t *testing.T) {
-	t.Parallel()
-	fn := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		fmt.Fprint(w, http.StatusText(http.StatusOK))
-		w.WriteHeader(http.StatusOK)
-	})
-
-	tests := []struct {
-		name       string
-		method     string
-		header     http.Header
-		wantStatus int
-		wantHeader string
-	}{
-		{"good", http.MethodOptions, http.Header{"Access-Control-Request-Method": []string{"GET"}, "Origin": []string{"localhost"}}, 200, ""},
-		{"invalid cors - non options request", http.MethodGet, http.Header{"Access-Control-Request-Method": []string{"GET"}, "Origin": []string{"localhost"}}, 200, "BAD"},
-		{"invalid cors - Origin not set", http.MethodOptions, http.Header{"Access-Control-Request-Method": []string{"GET"}, "Origin": []string{""}}, 200, "BAD"},
-		{"invalid cors - Access-Control-Request-Method not set", http.MethodOptions, http.Header{"Access-Control-Request-Method": []string{""}, "Origin": []string{"*"}}, 200, "BAD"},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			r := &http.Request{
-				Method: tt.method,
-				Header: tt.header,
-			}
-			w := httptest.NewRecorder()
-			target := fn
-			got := CorsBypass(target)(someOtherMiddleware("BAD")(target))
-			got.ServeHTTP(w, r)
-			if status := w.Code; status != tt.wantStatus {
-				t.Errorf("TestCorsBypass() error = %v, wantErr %v\n%v", w.Result().StatusCode, tt.wantStatus, w.Body.String())
-			}
-			if header := w.Header().Get("Some-Other-Middleware"); tt.wantHeader != header {
-				t.Errorf("TestCorsBypass() header = %v, want %v", header, tt.wantHeader)
-			}
-		})
-	}
-}