Merge pull request #45 from delta10/fix/42-options-response-filter-proxy

Make configuring CORS headers more robust

Author: bartjkdp

cmd/filter-proxy/main.go

@@ -45,12 +45,6 @@ func main() {
 
 		if path.Passthrough {
 			router.PathPrefix(path.Path).HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				if r.Method == http.MethodOptions {
-					w.Header().Add("Methods", "OPTIONS, GET, HEAD")
-					writeError(w, http.StatusOK, "options response from filter-proxy")
-					return
-				}
-
 				client := &http.Client{}
 
 				//http: Request.RequestURI can't be set in client requests.
@@ -105,12 +99,6 @@ func main() {
 					return
 				}
 
-				if r.Method == http.MethodOptions {
-					w.Header().Add("Methods", "OPTIONS, GET, HEAD")
-					writeError(w, http.StatusOK, "options response from filter-proxy")
-					return
-				}
-
 				utils.DelHopHeaders(r.Header)
 
 				var bodyFilterParams map[string]interface{}
@@ -309,24 +297,42 @@ func main() {
 		}
 	}
 
-	var httpHandler http.Handler
+	// By default allow only https://filter-proxy.local
+	corsOptions := cors.Options{
+		AllowedOrigins: []string{
+			"https://filter-proxy.local",
+		},
+		Debug:              config.Cors.DebugLogging,
+		OptionsPassthrough: false,
+	}
+
 	if len(config.Cors.AllowedOrigins) > 0 {
-		c := cors.New(cors.Options{
-			AllowedOrigins:      config.Cors.AllowedOrigins,
-			AllowedMethods:      config.Cors.AllowedMethods,
-			AllowedHeaders:      config.Cors.AllowedHeaders,
-			AllowCredentials:    config.Cors.AllowCredentials,
-			AllowPrivateNetwork: config.Cors.AllowPrivateNetwork,
-		})
-
-		httpHandler = c.Handler(router)
-	} else {
-		httpHandler = router
+		corsOptions.AllowedOrigins = config.Cors.AllowedOrigins
 	}
 
+	if len(config.Cors.AllowedMethods) > 0 {
+		corsOptions.AllowedMethods = config.Cors.AllowedMethods
+	}
+
+	if len(config.Cors.AllowedHeaders) > 0 {
+		corsOptions.AllowedHeaders = config.Cors.AllowedHeaders
+	}
+
+	if config.Cors.AllowCredentials {
+		corsOptions.AllowCredentials = config.Cors.AllowCredentials
+	}
+
+	if config.Cors.AllowPrivateNetwork {
+		corsOptions.AllowPrivateNetwork = config.Cors.AllowPrivateNetwork
+	}
+
+	c := cors.New(corsOptions)
+
+	handler := c.Handler(router)
+
 	s := &http.Server{
 		Addr:           config.ListenAddress,
-		Handler:        requestLoggingMiddleware(httpHandler),
+		Handler:        requestLoggingMiddleware(handler),
 		ReadTimeout:    10 * time.Second,
 		WriteTimeout:   10 * time.Second,
 		MaxHeaderBytes: 1 << 20,

config.yaml

@@ -7,10 +7,12 @@ listenAddress: localhost:8050
 authorizationServiceUrl: http://localhost:8000/atlas/api/v1/authorize
 
 cors:
-  allowedOrigins: []
-  allowedMethods: []
-  allowedHeaders: []
-  allowCredentials: true
+  # allowedOrigins: ["http://www.test.nl"]
+  # allowedMethods: ["GET"]
+  # allowedHeaders: []
+  # allowCredentials: true
+  # allowPrivateNetwork: true
+  # debugLogging: false
 
 paths:
   - path: /api/ows

internal/config/config.go

@@ -42,6 +42,7 @@ type Cors struct {
 	AllowedHeaders      []string `yaml:"allowedHeaders"`
 	AllowCredentials    bool     `yaml:"allowCredentials"`
 	AllowPrivateNetwork bool     `yaml:"allowPrivateNetwork"`
+	DebugLogging        bool     `yaml:"debugLogging"`
 }
 
 type Config struct {