status-im/nimbus-eth1
2
0
Fork 0
mirror of https://github.com/status-im/nimbus-eth1.git synced 2025-01-13 13:55:45 +00:00
Code Issues Projects Releases Wiki Activity
nimbus-eth1/nimbus/rpc/cors.nim
Jacek Sieka 5fc4c13ab1
Increase JSON-RPC limits, bump json-rpc (#2759) 
* blocks can be bigger than the default 1mb when json-rpc-encoded - this
happens on sepolia for example
* json-rpc bump improves debug logging and fixes a number of bugs
* json-serialization bump fixes a crash on invalid arrays in json data

At some point, it would probably be better to compute the maximum block
size from actual block constraints, though this is somewhat tricky and
depends on gas limits etc. Until then, 16mb should be plenty.

With this, sepolia can be synced :)
2024-10-23 10:26:56 +02:00

91 lines
3.0 KiB
Nim
Raw Blame History

# Nimbus
# Copyright (c) 2022-2024 Status Research & Development GmbH
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at
# https://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at
# https://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except
# according to those terms.
import
std/[uri],
chronos,
chronos/apps/http/httptable,
chronos/apps/http/httpserver,
httputils,
./rpc_server
{.push gcsafe, raises: [].}
proc sameOrigin(a, b: Uri): bool =
a.hostname == b.hostname and
a.scheme == b.scheme and
a.port == b.port
proc containsOrigin(list: seq[Uri], origin: Uri): bool =
for x in list:
if x.sameOrigin(origin): return true
const
HookOK = HttpResponseRef(nil)
proc httpCors*(allowedOrigins: seq[Uri]): RpcAuthHook =
proc handler(req: HttpRequestRef): Future[HttpResponseRef] {.async: (raises: [CatchableError]).} =
let origins = req.headers.getList("Origin")
let everyOriginAllowed = allowedOrigins.len == 0
if origins.len > 1:
return await req.respond(Http400,
"Only a single Origin header must be specified")
if origins.len == 0:
# maybe not a CORS request
return HookOK
# this section shared by all http method
let origin = parseUri(origins[0])
let resp = req.getResponse()
if not everyOriginAllowed and not allowedOrigins.containsOrigin(origin):
return await req.respond(Http403, "Origin not allowed")
if everyOriginAllowed:
resp.addHeader("Access-Control-Allow-Origin", "*")
else:
# The Vary: Origin header to must be set to prevent
# potential cache poisoning attacks:
# https://textslashplain.com/2018/08/02/cors-and-vary/
resp.addHeader("Vary", "Origin")
resp.addHeader("Access-Control-Allow-Origin", origins[0])
let methods = req.headers.getList("Access-Control-Request-Method")
# Check it this is preflight request
# There are three conditions to identify proper preflight request:
# - Origin header is present (we checked this earlier)
# - It uses OPTIONS method
# - It has Access-Control-Request-Method header
if req.meth == MethodOptions and len(methods) > 0:
# TODO: get actual methods supported by respective server
# e.g. JSON-RPC, GRAPHQL, ENGINE-API
resp.addHeader("Access-Control-Allow-Methods", "GET, POST")
resp.addHeader("Vary", "Access-Control-Request-Method")
# check headers
let headers = req.headers.getString("Access-Control-Request-Headers", "?")
if headers != "?":
# TODO: get actual headers supported by each server?
resp.addHeader("Access-Control-Allow-Headers", headers)
resp.addHeader("Vary", "Access-Control-Request-Headers")
# Response to preflight request should be in 200 range.
return await req.respond(Http204)
# other method such as POST or GET will fill
# the rest of response in server
return HookOK
result = handler
Reference in New Issue View Git Blame Copy Permalink