Merge pull request hybridgroup#111 from hybridgroup/176-cors-header

176 cors header
ardelldou · Sep 18, 2014 · 843ee4d · 843ee4d
2 parents 39d3795 + f602344
commit 843ee4d
Show file tree

Hide file tree

Showing 4 changed files with 187 additions and 0 deletions.
diff --git a/api/api.go b/api/api.go
@@ -25,6 +25,7 @@ type api struct {
 	Password string
 	Cert     string
 	Key      string
+	cors     *CORS
 	handlers []func(http.ResponseWriter, *http.Request)
 	start    func(*api)
 }
@@ -92,6 +93,25 @@ func (a *api) SetBasicAuth(user, password string) {
 	a.AddHandler(a.basicAuth)
 }
 
+func (a *api) AllowRequestsFrom(allowedOrigins ...string) {
+	a.SetCORS(NewCORS(allowedOrigins))
+}
+
+func (a *api) SetCORS(cors *CORS) {
+	a.cors = cors
+	a.AddHandler(a.CORSHandler)
+}
+
+func (a *api) CORSHandler(w http.ResponseWriter, req *http.Request) {
+	origin := req.Header.Get("Origin")
+	if a.cors.isOriginAllowed(origin) {
+		w.Header().Set("Access-Control-Allow-Origin", origin)
+		w.Header().Set("Access-Control-Allow-Headers", a.cors.AllowedHeaders())
+		w.Header().Set("Access-Control-Allow-Methods", a.cors.AllowedMethods())
+		w.Header().Set("Content-Type", a.cors.ContentType)
+	}
+}
+
 func (a *api) SetDebug() {
 	a.AddHandler(func(res http.ResponseWriter, req *http.Request) {
 		log.Println(req)

diff --git a/api/api_test.go b/api/api_test.go
@@ -30,6 +30,7 @@ func initTestAPI() *api {
 
 	return a
 }
+
 func TestBasicAuth(t *testing.T) {
 	a := initTestAPI()
 
@@ -48,6 +49,35 @@ func TestBasicAuth(t *testing.T) {
 	gobot.Assert(t, response.Code, 401)
 }
 
+func TestAPIAllowRequestsFrom(t *testing.T) {
+	api := initTestAPI()
+	api.AllowRequestsFrom("http://server.com")
+	gobot.Assert(t, api.cors.AllowOrigins, []string{"http://server.com"})
+}
+
+func TestCORS(t *testing.T) {
+	api := initTestAPI()
+
+	// Accepted origin
+	allowedOrigin := []string{"http://server.com"}
+	api.AllowRequestsFrom(allowedOrigin[0])
+
+	request, _ := http.NewRequest("GET", "/api/", nil)
+	request.Header.Set("Origin", allowedOrigin[0])
+	response := httptest.NewRecorder()
+	api.ServeHTTP(response, request)
+	gobot.Assert(t, response.Header()["Access-Control-Allow-Origin"], allowedOrigin)
+
+	// Not accepted Origin
+	disallowedOrigin := []string{"http://disallowed.com"}
+	request, _ = http.NewRequest("GET", "/api/", nil)
+	request.Header.Set("Origin", disallowedOrigin[0])
+	response = httptest.NewRecorder()
+	api.ServeHTTP(response, request)
+	gobot.Refute(t, response.Header()["Access-Control-Allow-Origin"], disallowedOrigin)
+	gobot.Refute(t, response.Header()["Access-Control-Allow-Origin"], allowedOrigin)
+}
+
 func TestRobeaux(t *testing.T) {
 	a := initTestAPI()
 	// html assets

diff --git a/api/cors.go b/api/cors.go
@@ -0,0 +1,56 @@
+package api
+
+import (
+	"regexp"
+	"strings"
+)
+
+type CORS struct {
+	AllowOrigins        []string
+	AllowHeaders        []string
+	AllowMethods        []string
+	ContentType         string
+	allowOriginPatterns []string
+}
+
+func NewCORS(allowedOrigins []string) *CORS {
+	cors := &CORS{
+		AllowOrigins: allowedOrigins,
+		AllowMethods: []string{"GET", "POST"},
+		AllowHeaders: []string{"Origin", "Content-Type"},
+		ContentType:  "application/json; charset=utf-8",
+	}
+
+	cors.generatePatterns()
+
+	return cors
+}
+
+func (c *CORS) isOriginAllowed(origin string) (allowed bool) {
+	for _, allowedOriginPattern := range c.allowOriginPatterns {
+		allowed, _ = regexp.MatchString(allowedOriginPattern, origin)
+		if allowed {
+			return
+		}
+	}
+	return
+}
+
+func (c *CORS) generatePatterns() {
+	if c.AllowOrigins != nil {
+		for _, origin := range c.AllowOrigins {
+			pattern := regexp.QuoteMeta(origin)
+			pattern = strings.Replace(pattern, "\\*", ".*", -1)
+			pattern = strings.Replace(pattern, "\\?", ".", -1)
+			c.allowOriginPatterns = append(c.allowOriginPatterns, "^"+pattern+"$")
+		}
+	}
+}
+
+func (c *CORS) AllowedHeaders() string {
+	return strings.Join(c.AllowHeaders, ",")
+}
+
+func (c *CORS) AllowedMethods() string {
+	return strings.Join(c.AllowMethods, ",")
+}
diff --git a/api/cors_test.go b/api/cors_test.go
@@ -0,0 +1,81 @@
+package api
+
+import (
+	"github.com/hybridgroup/gobot"
+	"testing"
+)
+
+func TestNewCORS(t *testing.T) {
+	var cors interface{} = NewCORS([]string{})
+
+	// Does it return a pointer to an instance of CORS?
+	_, ok := cors.(*CORS)
+	if !ok {
+		t.Errorf("NewCORS() should have returned a *CORS")
+	}
+}
+
+func TestNewCorsSetsProperties(t *testing.T) {
+	allowedOrigins := []string{"http://*server:*", "http://localhost:*"}
+	allowedMethods := []string{"GET", "POST"}
+	allowedHeaders := []string{"Origin", "Content-Type"}
+	contentType := "application/json; charset=utf-8"
+	allowOriginPatterns := []string{"^http://.*server:.*$", "^http://localhost:.*$"}
+
+	cors := NewCORS(allowedOrigins)
+
+	gobot.Assert(t, cors.AllowOrigins, allowedOrigins)
+	gobot.Assert(t, cors.AllowMethods, allowedMethods)
+	gobot.Assert(t, cors.AllowHeaders, allowedHeaders)
+	gobot.Assert(t, cors.ContentType, contentType)
+	gobot.Assert(t, cors.allowOriginPatterns, allowOriginPatterns)
+}
+
+func TestCORSIsOriginAllowed(t *testing.T) {
+	cors := NewCORS([]string{"*"})
+
+	// When all the origins are accepted
+	gobot.Assert(t, cors.isOriginAllowed("http://localhost:8000"), true)
+	gobot.Assert(t, cors.isOriginAllowed("http://localhost:3001"), true)
+	gobot.Assert(t, cors.isOriginAllowed("http://server.com"), true)
+
+	// When one origin is accepted
+	cors = NewCORS([]string{"http://localhost:8000"})
+
+	gobot.Assert(t, cors.isOriginAllowed("http://localhost:8000"), true)
+	gobot.Assert(t, cors.isOriginAllowed("http://localhost:3001"), false)
+	gobot.Assert(t, cors.isOriginAllowed("http://server.com"), false)
+
+	// When several origins are accepted
+	cors = NewCORS([]string{"http://localhost:*", "http://server.com"})
+
+	gobot.Assert(t, cors.isOriginAllowed("http://localhost:8000"), true)
+	gobot.Assert(t, cors.isOriginAllowed("http://localhost:3001"), true)
+	gobot.Assert(t, cors.isOriginAllowed("http://server.com"), true)
+
+	// When several origins are accepted within the same domain
+	cors = NewCORS([]string{"http://*.server.com"})
+
+	gobot.Assert(t, cors.isOriginAllowed("http://localhost:8000"), false)
+	gobot.Assert(t, cors.isOriginAllowed("http://localhost:3001"), false)
+	gobot.Assert(t, cors.isOriginAllowed("http://foo.server.com"), true)
+	gobot.Assert(t, cors.isOriginAllowed("http://api.server.com"), true)
+}
+
+func TestCORSAllowedHeaders(t *testing.T) {
+	cors := NewCORS([]string{"*"})
+
+	cors.AllowHeaders = []string{"Header1", "Header2"}
+
+	gobot.Assert(t, cors.AllowedHeaders(), "Header1,Header2")
+}
+
+func TestCORSAllowedMethods(t *testing.T) {
+	cors := NewCORS([]string{"*"})
+
+	gobot.Assert(t, cors.AllowedMethods(), "GET,POST")
+
+	cors.AllowMethods = []string{"GET", "POST", "PUT"}
+
+	gobot.Assert(t, cors.AllowedMethods(), "GET,POST,PUT")
+}