vikarti.anatra/safing-portbase
1
0
Fork 0
mirror of https://github.com/safing/portbase synced 2025-09-04 19:50:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix CORS preflight checks requiring authentication

Browse source
This commit is contained in:
Patrick Pacher 2022-07-27 14:57:05 +02:00 committed by Daniel
parent e5b8dd77da
commit 2431914756
1 changed files with 42 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
api/router.go
View file

@ -106,10 +106,9 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error {
}() }()
// Check Cross-Origin Requests. // Check Cross-Origin Requests.
isCrossSite := false
origin := r.Header.Get("Origin") origin := r.Header.Get("Origin")
isPreflighCheck := false
if origin != "" { if origin != "" {
isCrossSite = true
// Parse origin URL. // Parse origin URL.
originURL, err := url.Parse(origin) originURL, err := url.Parse(origin)
@ -125,6 +124,9 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error {
// Origin (with port) matches Host. // Origin (with port) matches Host.
case originURL.Hostname() == r.Host: case originURL.Hostname() == r.Host:
// Origin (without port) matches Host. // Origin (without port) matches Host.
case originURL.Scheme == "chrome-extension":
// Allow access for the browser extension
// TODO(ppacher): can we improve that check here?
case devMode() && case devMode() &&
utils.StringInSlice(allowedDevCORSOrigins, originURL.Hostname()): utils.StringInSlice(allowedDevCORSOrigins, originURL.Hostname()):
// We are in dev mode and the request is coming from the allowed // We are in dev mode and the request is coming from the allowed
@ -138,6 +140,22 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error {
// If the Host header has a port, and the Origin does not, requests will // If the Host header has a port, and the Origin does not, requests will
// also end up here, as we cannot properly check for equality. // also end up here, as we cannot properly check for equality.
} }
// Add Cross-Site Headers now as we need them in any case now.
w.Header().Set("Access-Control-Allow-Origin", origin)
w.Header().Set("Access-Control-Allow-Methods", "*")
w.Header().Set("Access-Control-Allow-Headers", "*")
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Expose-Headers", "*")
w.Header().Set("Access-Control-Max-Age", "60")
w.Header().Add("Vary", "Origin")
// if there's a Access-Control-Request-Method header this is a Preflight check.
// In that case, we will just check if the preflighMethod is allowed and then return
// success here
if preflighMethod := r.Header.Get("Access-Control-Request-Method"); r.Method == http.MethodOptions && preflighMethod != "" {
isPreflighCheck = true
}
} }
// Clean URL. // Clean URL.
@ -184,21 +202,6 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error {
return nil return nil
} }
// Check authentication.
apiRequest.AuthToken = authenticateRequest(lrw, r, handler, readMethod)
if apiRequest.AuthToken == nil {
// Authenticator already replied.
return nil
}
// Wait for the owning module to be ready.
if moduleHandler, ok := handler.(ModuleHandler); ok {
if !moduleIsReady(moduleHandler.BelongsTo()) {
http.Error(lrw, "The API endpoint is not ready yet. Please try again later.", http.StatusServiceUnavailable)
return nil
}
}
// Add security headers. // Add security headers.
w.Header().Set("Referrer-Policy", "no-referrer") w.Header().Set("Referrer-Policy", "no-referrer")
w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("X-Content-Type-Options", "nosniff")
@ -217,15 +220,28 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error {
) )
} }
// Add Cross-Site Headers when handling Cross-Site Requests. // At this point we know the method is allowed and there's a handler for the request.
if isCrossSite { // If this is just a CORS-Preflight, we'll accept the request with StatusOK now.
w.Header().Set("Access-Control-Allow-Origin", origin) // There's no point in trying to authenticate the request because the Browser will
w.Header().Set("Access-Control-Allow-Methods", "*") // not send authentication along a preflight check.
w.Header().Set("Access-Control-Allow-Headers", "*") if isPreflighCheck && handler != nil {
w.Header().Set("Access-Control-Allow-Credentials", "true") lrw.WriteHeader(http.StatusOK)
w.Header().Set("Access-Control-Expose-Headers", "*") return nil
w.Header().Set("Access-Control-Max-Age", "60") }
w.Header().Add("Vary", "Origin")
// Check authentication.
apiRequest.AuthToken = authenticateRequest(lrw, r, handler, readMethod)
if apiRequest.AuthToken == nil {
// Authenticator already replied.
return nil
}
// Wait for the owning module to be ready.
if moduleHandler, ok := handler.(ModuleHandler); ok {
if !moduleIsReady(moduleHandler.BelongsTo()) {
http.Error(lrw, "The API endpoint is not ready yet. Please try again later.", http.StatusServiceUnavailable)
return nil
}
} }
// Check if we have a handler. // Check if we have a handler.