cors - refactoring

2026-05-24 09:28:37 +00:00 · 2023-05-09 11:42:03 +02:00 · 2023-05-09 11:42:03 +02:00 · 50ee37db0a
commit 50ee37db0a
parent b8d89fe79a
2 changed files with 32 additions and 27 deletions
--- a/src/common/core/cors/confs/server-http/cors.conf
+++ b/src/common/core/cors/confs/server-http/cors.conf
@ -1,5 +0,0 @@
-{% if USE_CORS == "yes" +%}
-{% if CORS_ALLOW_ORIGIN != "" %}add_header Access-Control-Allow-Origin '{{ CORS_ALLOW_ORIGIN }}' always;{% endif %}
-{% if CORS_EXPOSE_HEADERS != "" %}add_header Access-Control-Expose-Headers '{{ CORS_EXPOSE_HEADERS }}' always;{% endif %}
-{% if CORS_ALLOW_CREDENTIALS != "no" %}add_header Access-Control-Allow-Credentials true always;{% endif %}
-{% endif %}
--- a/src/common/core/cors/cors.lua
+++ b/src/common/core/cors/cors.lua
@ -7,6 +7,16 @@ local cors   = class("cors", plugin)
 function cors:initialize()
 	-- Call parent initialize
 	plugin.initialize(self, "cors")
+	self.all_headers = {
+		["CORS_ALLOW_ORIGIN"] = "Access-Control-Allow-Origin",
+		["CORS_EXPOSE_HEADERS"] = "Access-Control-Expose-Headers"
+	}
+	self.preflight_headers = {
+		["CORS_MAX_AGE"] = "Access-Control-Max-Age",
+		["CORS_ALLOW_CREDENTIALS"] = "Access-Control-Allow-Credentials",
+		["CORS_ALLOW_METHODS"] = "Access-Control-Allow-Methods",
+		["CORS_ALLOW_HEADERS"] = "Access-Control-Allow-Headers"
+	}
 end

 function cors:header()
@ -14,25 +24,26 @@ function cors:header()
 	if self.variables["USE_CORS"] ~= "yes" then
 		return self:ret(true, "service doesn't use CORS")
 	end
-	if ngx.ctx.bw.request_method ~= "OPTIONS" then
-		return self:ret(true, "method is not OPTIONS")
-	end
-	-- Add headers
-	local cors_headers = {
-		["CORS_MAX_AGE"] = "Access-Control-Max-Age",
-		["CORS_ALLOW_METHODS"] = "Access-Control-Allow-Methods",
-		["CORS_ALLOW_HEADERS"] = "Access-Control-Allow-Headers"
-	}
-	for variable, header in pairs(cors_headers) do
-		local value = self.variables[variable]
-		if value ~= "" then
-			ngx.header[header] = value
+	-- Standard headers
+	for variable, header in pairs(self.all_headers) do
+		if self.variables[variable] ~= "" then
+			ngx.header[header] = self.variables[variable]
 		end
 	end
-	ngx.header["Content-Type"] = "text/html"
-	ngx.header["Content-Length"] = "0"
-
-	return self:ret(true, "sent CORS policy")
+	-- Preflight request
+	if ngx.ctx.bw.request_method == "OPTIONS" then
+		for variable, header in pairs(self.preflight_headers) do
+			if variable == "CORS_ALLOW_CREDENTIALS" and self.variables["CORS_ALLOW_CREDENTIALS"] == "yes" then
+				ngx.header[header] = "true"
+			elseif self.variables[variable] ~= "" then
+				ngx.header[header] = self.variables[variable]
+			end
+		end
+		ngx.header["Content-Type"] = "text/html"
+		ngx.header["Content-Length"] = "0"
+		return self:ret(true, "edited headers for preflight request")
+	end
+	return self:ret(true, "edited headers for standard request")
 end

 function cors:access()
@ -40,12 +51,11 @@ function cors:access()
 	if self.variables["USE_CORS"] ~= "yes" then
 		return self:ret(true, "service doesn't use CORS")
 	end
-	if ngx.ctx.bw.request_method ~= "OPTIONS" then
-		return self:ret(true, "method is not OPTIONS")
-	end
-
 	-- Send CORS policy with a 204 (no content) status
-	return self:ret(true, "sent CORS policy", ngx.HTTP_NO_CONTENT)
+	if ngx.ctx.bw.request_method == "OPTIONS" then
+		return self:ret(true, "preflight request", ngx.HTTP_NO_CONTENT)
+	end
+	return self:ret(true, "standard request")
 end

 return cors