Fix cors preflight request (#1235)
This commit is contained in:
parent
51f3124717
commit
a5dc16537e
|
@ -45,7 +45,8 @@ proc httpCors*(allowedOrigins: seq[Uri]): HttpAuthHook =
|
||||||
# this section shared by all http method
|
# this section shared by all http method
|
||||||
let origin = parseUri(origins[0])
|
let origin = parseUri(origins[0])
|
||||||
let resp = req.getResponse()
|
let resp = req.getResponse()
|
||||||
if not allowedOrigins.containsOrigin(origin):
|
|
||||||
|
if not everyOriginAllowed and not allowedOrigins.containsOrigin(origin):
|
||||||
return await req.respond(Http403, "Origin not allowed")
|
return await req.respond(Http403, "Origin not allowed")
|
||||||
|
|
||||||
if everyOriginAllowed:
|
if everyOriginAllowed:
|
||||||
|
@ -57,21 +58,29 @@ proc httpCors*(allowedOrigins: seq[Uri]): HttpAuthHook =
|
||||||
resp.addHeader("Vary", "Origin")
|
resp.addHeader("Vary", "Origin")
|
||||||
resp.addHeader("Access-Control-Allow-Origin", origins[0])
|
resp.addHeader("Access-Control-Allow-Origin", origins[0])
|
||||||
|
|
||||||
if req.meth == MethodOptions:
|
let methods = req.headers.getList("Access-Control-Request-Method")
|
||||||
# Preflight request
|
|
||||||
let meth = resp.getHeader("Access-Control-Request-Method", "?")
|
# Check it this is preflight request
|
||||||
if meth != "?":
|
# There are three conditions to identify proper preflight request:
|
||||||
|
# - Origin header is present (we checked this earlier)
|
||||||
|
# - It uses OPTIONS method
|
||||||
|
# - It has Access-Control-Request-Method header
|
||||||
|
if req.meth == MethodOptions and len(methods) > 0:
|
||||||
# TODO: get actual methods supported by respective server
|
# TODO: get actual methods supported by respective server
|
||||||
# e.g. JSON-RPC, GRAPHQL, ENGINE-API
|
# e.g. JSON-RPC, GRAPHQL, ENGINE-API
|
||||||
resp.addHeader("Access-Control-Allow-Methods", "GET, POST")
|
resp.addHeader("Access-Control-Allow-Methods", "GET, POST")
|
||||||
resp.addHeader("Vary", "Access-Control-Request-Method")
|
resp.addHeader("Vary", "Access-Control-Request-Method")
|
||||||
|
|
||||||
let heads = resp.getHeader("Access-Control-Request-Headers", "?")
|
# check headers
|
||||||
if heads != "?":
|
let headers = req.headers.getString("Access-Control-Request-Headers", "?")
|
||||||
|
|
||||||
|
if headers != "?":
|
||||||
# TODO: get actual headers supported by each server?
|
# TODO: get actual headers supported by each server?
|
||||||
resp.addHeader("Access-Control-Allow-Headers", heads)
|
resp.addHeader("Access-Control-Allow-Headers", headers)
|
||||||
resp.addHeader("Vary", "Access-Control-Request-Headers")
|
resp.addHeader("Vary", "Access-Control-Request-Headers")
|
||||||
return await req.respond(Http400)
|
|
||||||
|
# Response to preflight request should be in 200 range.
|
||||||
|
return await req.respond(Http204)
|
||||||
|
|
||||||
# other method such as POST or GET will fill
|
# other method such as POST or GET will fill
|
||||||
# the rest of response in server
|
# the rest of response in server
|
||||||
|
|
Loading…
Reference in New Issue