add missing cors config

2026-02-21 21:19:01 -06:00 · 2023-03-31 23:18:00 +02:00
parent 8f6f52c2ec
commit e313248cee
9 changed files with 94 additions and 0 deletions
--- a/changelog/unreleased/more-cors-config.md
+++ b/changelog/unreleased/more-cors-config.md
@@ -0,0 +1,5 @@
+Bugfix: Add missing CORS config
+
+The graph, userlog and ocdav services had no CORS config options.
+
+https://github.com/owncloud/ocis/pull/5987
--- a/services/graph/pkg/config/config.go
+++ b/services/graph/pkg/config/config.go
@@ -112,3 +112,11 @@ type Events struct {
 	TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false."`
 	EnableTLS            bool   `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;GRAPH_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."`
 }
+
+// CORS defines the available cors configuration.
+type CORS struct {
+	AllowedOrigins   []string `yaml:"allow_origins" env:"OCIS_CORS_ALLOW_ORIGINS;GRAPH_CORS_ALLOW_ORIGINS" desc:"A comma-separated list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"`
+	AllowedMethods   []string `yaml:"allow_methods" env:"OCIS_CORS_ALLOW_METHODS;GRAPH_CORS_ALLOW_METHODS" desc:"A comma-separated list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method"`
+	AllowedHeaders   []string `yaml:"allow_headers" env:"OCIS_CORS_ALLOW_HEADERS;GRAPH_CORS_ALLOW_HEADERS" desc:"A comma-separated list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers."`
+	AllowCredentials bool     `yaml:"allow_credentials" env:"OCIS_CORS_ALLOW_CREDENTIALS;GRAPH_CORS_ALLOW_CREDENTIALS" desc:"Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials."`
+}
--- a/services/graph/pkg/config/defaults/defaultconfig.go
+++ b/services/graph/pkg/config/defaults/defaultconfig.go
@@ -30,6 +30,12 @@ func DefaultConfig() *config.Config {
 			Addr:      "127.0.0.1:9120",
 			Namespace: "com.owncloud.graph",
 			Root:      "/graph",
+			CORS: config.CORS{
+				AllowedOrigins:   []string{"*"},
+				AllowedMethods:   []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
+				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"},
+				AllowCredentials: true,
+			},
 		},
 		Service: config.Service{
 			Name: "graph",
--- a/services/graph/pkg/config/http.go
+++ b/services/graph/pkg/config/http.go
@@ -9,4 +9,5 @@ type HTTP struct {
 	Root      string                `yaml:"root" env:"GRAPH_HTTP_ROOT" desc:"Subdirectory that serves as the root for this HTTP service."`
 	TLS       shared.HTTPServiceTLS `yaml:"tls"`
 	APIToken  string                `yaml:"apitoken" env:"GRAPH_HTTP_API_TOKEN" desc:"An optional API bearer token"`
+	CORS      CORS                  `yaml:"cors"`
 }
--- a/services/graph/pkg/server/http/server.go
+++ b/services/graph/pkg/server/http/server.go
@@ -13,6 +13,7 @@ import (
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-micro/plugins/v4/events/natsjs"
 	"github.com/owncloud/ocis/v2/ocis-pkg/account"
+	"github.com/owncloud/ocis/v2/ocis-pkg/cors"
 	ociscrypto "github.com/owncloud/ocis/v2/ocis-pkg/crypto"
 	"github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
@@ -98,6 +99,14 @@ func Server(opts ...Option) (http.Service, error) {
 		middleware.Logger(
 			options.Logger,
 		),
+		middleware.Cors(
+			cors.Logger(options.Logger),
+			cors.AllowedOrigins(options.Config.HTTP.CORS.AllowedOrigins),
+			cors.AllowedMethods(options.Config.HTTP.CORS.AllowedMethods),
+			cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
+			cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
+		),
+		middleware.Secure,
 	}
 	// how do we secure the api?
 	var requireAdminMiddleware func(stdhttp.Handler) stdhttp.Handler
--- a/services/ocdav/pkg/command/server.go
+++ b/services/ocdav/pkg/command/server.go
@@ -56,6 +56,10 @@ func Server(cfg *config.Config) *cli.Command {
 					ocdav.Context(ctx),
 					ocdav.Logger(logger.Logger),
 					ocdav.Address(cfg.HTTP.Addr),
+					ocdav.AllowCredentials(cfg.HTTP.CORS.AllowCredentials),
+					ocdav.AllowedMethods(cfg.HTTP.CORS.AllowedMethods),
+					ocdav.AllowedHeaders(cfg.HTTP.CORS.AllowedHeaders),
+					ocdav.AllowedOrigins(cfg.HTTP.CORS.AllowedOrigins),
 					ocdav.FilesNamespace(cfg.FilesNamespace),
 					ocdav.WebdavNamespace(cfg.WebdavNamespace),
 					ocdav.SharesNamespace(cfg.SharesNamespace),
--- a/services/ocdav/pkg/config/config.go
+++ b/services/ocdav/pkg/config/config.go
@@ -66,6 +66,15 @@ type HTTPConfig struct {
 	Namespace string `yaml:"-"`
 	Protocol  string `yaml:"protocol" env:"OCDAV_HTTP_PROTOCOL" desc:"The transport protocol of the HTTP service."`
 	Prefix    string `yaml:"prefix" env:"OCDAV_HTTP_PREFIX" desc:"A URL path prefix for the handler."`
+	CORS      `yaml:"cors"`
+}
+
+// CORS defines the available cors configuration.
+type CORS struct {
+	AllowedOrigins   []string `yaml:"allow_origins" env:"OCIS_CORS_ALLOW_ORIGINS;OCDAV_CORS_ALLOW_ORIGINS" desc:"A comma-separated list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"`
+	AllowedMethods   []string `yaml:"allow_methods" env:"OCIS_CORS_ALLOW_METHODS;OCDAV_CORS_ALLOW_METHODS" desc:"A comma-separated list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method"`
+	AllowedHeaders   []string `yaml:"allow_headers" env:"OCIS_CORS_ALLOW_HEADERS;OCDAV_CORS_ALLOW_HEADERS" desc:"A comma-separated list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers."`
+	AllowCredentials bool     `yaml:"allow_credentials" env:"OCIS_CORS_ALLOW_CREDENTIALS;OCDAV_CORS_ALLOW_CREDENTIALS" desc:"Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials."`
 }

 // Status holds the configurable values for the status.php
--- a/services/ocdav/pkg/config/defaults/defaultconfig.go
+++ b/services/ocdav/pkg/config/defaults/defaultconfig.go
@@ -29,6 +29,49 @@ func DefaultConfig() *config.Config {
 			Namespace: "com.owncloud.web",
 			Protocol:  "tcp",
 			Prefix:    "",
+			CORS: config.CORS{
+				AllowedOrigins: []string{"*"},
+				AllowedMethods: []string{
+					"OPTIONS",
+					"HEAD",
+					"GET",
+					"PUT",
+					"POST",
+					"DELETE",
+					"MKCOL",
+					"PROPFIND",
+					"PROPPATCH",
+					"MOVE",
+					"COPY",
+					"REPORT",
+					"SEARCH",
+				},
+				AllowedHeaders: []string{
+					"Origin",
+					"Accept",
+					"Content-Type",
+					"Depth",
+					"Authorization",
+					"Ocs-Apirequest",
+					"If-None-Match",
+					"If-Match",
+					"Destination",
+					"Overwrite",
+					"X-Request-Id",
+					"X-Requested-With",
+					"Tus-Resumable",
+					"Tus-Checksum-Algorithm",
+					"Upload-Concat",
+					"Upload-Length",
+					"Upload-Metadata",
+					"Upload-Defer-Length",
+					"Upload-Expires",
+					"Upload-Checksum",
+					"Upload-Offset",
+					"X-HTTP-Method-Override",
+				},
+				AllowCredentials: true,
+			},
 		},
 		Service: config.Service{
 			Name: "ocdav",
--- a/services/userlog/pkg/server/http/server.go
+++ b/services/userlog/pkg/server/http/server.go
@@ -8,6 +8,7 @@ import (
 	"github.com/go-chi/chi/v5"
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/account"
+	"github.com/owncloud/ocis/v2/ocis-pkg/cors"
 	"github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/http"
 	"github.com/owncloud/ocis/v2/ocis-pkg/version"
@@ -54,6 +55,14 @@ func Server(opts ...Option) (http.Service, error) {
 			account.Logger(options.Logger),
 			account.JWTSecret(options.Config.TokenManager.JWTSecret),
 		),
+		middleware.Cors(
+			cors.Logger(options.Logger),
+			cors.AllowedOrigins(options.Config.HTTP.CORS.AllowedOrigins),
+			cors.AllowedMethods(options.Config.HTTP.CORS.AllowedMethods),
+			cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
+			cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
+		),
+		middleware.Secure,
 	}

 	mux := chi.NewMux()