feat(cors): add access control allow private network handling (#554)

Author: nicolasalexandre9

.gitignore

@@ -11,6 +11,7 @@
 /test/dummy/db/*.sqlite3
 /spec/dummy/log/
 /spec/dummy/db/*.sqlite3
+/spec/dummy/tmp/
 /tmp/
 .byebug_history
 

lib/forest_liana/engine.rb

@@ -8,6 +8,21 @@
 require_relative 'bootstrapper'
 require_relative 'collection'
 
+module Rack
+  class Cors
+    class Resource
+      def to_preflight_headers(env)
+        h = to_headers(env)
+        h['Access-Control-Allow-Private-Network'] = 'true' if env['HTTP_ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK'] == 'true'
+        if env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
+          h.merge!('Access-Control-Allow-Headers' => env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS])
+        end
+        h
+      end
+    end
+  end
+end
+
 module ForestLiana
   class Engine < ::Rails::Engine
     isolate_namespace ForestLiana

spec/requests/cors_spec.rb

@@ -0,0 +1,65 @@
+require 'rails_helper'
+require 'rack/test'
+require 'rack/cors'
+
+class CaptureResult
+  def initialize(app, options = {})
+    @app = app
+    @result_holder = options[:holder]
+  end
+
+  def call(env)
+    env['HTTP_ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK'] = 'true'
+    response = @app.call(env)
+    @result_holder.cors_result = env[Rack::Cors::RACK_CORS]
+    response
+  end
+end
+
+describe Rack::Cors do
+
+  include Rack::Test::Methods
+
+  attr_accessor :cors_result
+
+  def load_app(name, options = {})
+    test = self
+    Rack::Builder.new do
+      use CaptureResult, holder: test
+      eval File.read(File.dirname(__FILE__) + "/#{name}.ru")
+      use FakeProxy if options[:proxy]
+      map('/') do
+        run(lambda do |_env|
+          [
+            200,
+           {
+              'Content-Type' => 'text/html',
+            },
+            ['success']
+          ]
+        end)
+      end
+    end
+  end
+
+  let(:app) { load_app('test') }
+
+  describe 'preflight requests' do
+    it 'should allow private network' do
+      preflight_request('http://localhost:3000', '/')
+      assert !last_response.headers['Access-Control-Allow-Private-Network'].nil?
+      assert last_response.headers['Access-Control-Allow-Private-Network'] == 'true'
+    end
+  end
+
+  protected
+
+  def preflight_request(origin, path, opts = {})
+    header 'Origin', origin
+    unless opts.key?(:method) && opts[:method].nil?
+      header 'Access-Control-Request-Method', opts[:method] ? opts[:method].to_s.upcase : 'GET'
+    end
+    header 'Access-Control-Request-Headers', opts[:headers] if opts[:headers]
+    options path
+  end
+end

spec/requests/test.ru

@@ -0,0 +1,12 @@
+require 'rack/cors'
+
+use Rack::Lint
+use Rack::Cors do
+  allow do
+    origins 'localhost:3000',
+            '127.0.0.1:3000'
+
+    resource '/', headers: :any, methods: :any
+    resource '/options', methods: :options
+  end
+end