Extends CrudApiPlugin with support for CORS. Closes #1191 (#1192)

waldekmastykarz · web-flow · commit d6930ae9aefd · 2025-05-19T07:01:54.000-07:00
diff --git a/dev-proxy-plugins/Mocks/CrudApiPlugin.cs b/dev-proxy-plugins/Mocks/CrudApiPlugin.cs
@@ -65,6 +65,8 @@ public class CrudApiConfiguration
 {
     public string ApiFile { get; set; } = "api.json";
     public string BaseUrl { get; set; } = string.Empty;
+    [JsonPropertyName("enableCors")]
+    public bool EnableCORS { get; set; } = true;
     public string DataFile { get; set; } = string.Empty;
     public IEnumerable<CrudApiAction> Actions { get; set; } = [];
     [System.Text.Json.Serialization.JsonConverter(typeof(JsonStringEnumConverter))]
@@ -165,6 +167,13 @@ protected virtual Task OnRequestAsync(object? sender, ProxyRequestArgs e)
             return Task.CompletedTask;
         }
 
+        if (IsCORSPreflightRequest(request) && _configuration.EnableCORS)
+        {
+            SendEmptyResponse(HttpStatusCode.NoContent, e.Session);
+            Logger.LogRequest("CORS preflight request", MessageType.Mocked, new LoggingContext(e.Session));
+            return Task.CompletedTask;
+        }
+
         if (!AuthorizeRequest(e))
         {
             SendUnauthorizedResponse(e.Session);
@@ -193,6 +202,35 @@ protected virtual Task OnRequestAsync(object? sender, ProxyRequestArgs e)
         return Task.CompletedTask;
     }
 
+    private static bool IsCORSPreflightRequest(Request request)
+    {
+        return request.Method == "OPTIONS" &&
+               request.Headers.Any(h => h.Name.Equals("Origin", StringComparison.OrdinalIgnoreCase));
+    }
+
+    private void AddCORSHeaders(Request request, List<HttpHeader> headers)
+    {
+        var origin = request.Headers.FirstOrDefault(h => h.Name.Equals("Origin", StringComparison.OrdinalIgnoreCase))?.Value;
+        if (string.IsNullOrEmpty(origin))
+        {
+            return;
+        }
+
+        headers.Add(new HttpHeader("access-control-allow-origin", origin));
+
+        if (_configuration.EntraAuthConfig is not null)
+        {
+            headers.Add(new HttpHeader("access-control-allow-headers", "authorization"));
+        }
+
+        var methods = string.Join(", ", _configuration.Actions
+            .Where(a => a.Method is not null)
+            .Select(a => a.Method)
+            .Distinct());
+
+        headers.Add(new HttpHeader("access-control-allow-methods", methods));
+    }
+
     private bool AuthorizeRequest(ProxyRequestArgs e, CrudApiAction? action = null)
     {
         var authType = action is null ? _configuration.Auth : action.Auth;
@@ -304,12 +342,12 @@ private static bool HasPermission(string permission, string permissionString)
         return permissions.Contains(permission, StringComparer.OrdinalIgnoreCase);
     }
 
-    private static void SendUnauthorizedResponse(SessionEventArgs e)
+    private void SendUnauthorizedResponse(SessionEventArgs e)
     {
         SendJsonResponse("{\"error\":{\"message\":\"Unauthorized\"}}", HttpStatusCode.Unauthorized, e);
     }
 
-    private static void SendNotFoundResponse(SessionEventArgs e)
+    private void SendNotFoundResponse(SessionEventArgs e)
     {
         SendJsonResponse("{\"error\":{\"message\":\"Not found\"}}", HttpStatusCode.NotFound, e);
     }
@@ -327,25 +365,19 @@ private static string ReplaceParams(string query, IDictionary<string, string> pa
         return result;
     }
 
-    private static void SendEmptyResponse(HttpStatusCode statusCode, SessionEventArgs e)
+    private void SendEmptyResponse(HttpStatusCode statusCode, SessionEventArgs e)
     {
         var headers = new List<HttpHeader>();
-        if (e.HttpClient.Request.Headers.Any(h => h.Name == "Origin"))
-        {
-            headers.Add(new HttpHeader("access-control-allow-origin", "*"));
-        }
+        AddCORSHeaders(e.HttpClient.Request, headers);
         e.GenericResponse("", statusCode, headers);
     }
 
-    private static void SendJsonResponse(string body, HttpStatusCode statusCode, SessionEventArgs e)
+    private void SendJsonResponse(string body, HttpStatusCode statusCode, SessionEventArgs e)
     {
         var headers = new List<HttpHeader> {
             new("content-type", "application/json; charset=utf-8")
         };
-        if (e.HttpClient.Request.Headers.Any(h => h.Name == "Origin"))
-        {
-            headers.Add(new HttpHeader("access-control-allow-origin", "*"));
-        }
+        AddCORSHeaders(e.HttpClient.Request, headers);
         e.GenericResponse(body, statusCode, headers);
     }
 
diff --git a/schemas/v0.28.0/crudapiplugin.apifile.schema.json b/schemas/v0.28.0/crudapiplugin.apifile.schema.json
@@ -12,6 +12,10 @@
       "type": "string",
       "description": "Base URL where Dev Proxy exposes the API. Dev Proxy prepends this base URL to the URLs defined in actions."
     },
+    "enableCors": {
+      "type": "boolean",
+      "description": "Set to true to enable CORS for the API. Default is true."
+    },
     "dataFile": {
       "type": "string",
       "description": "Path to the file that contains the data for the API. The file must define a JSON array."
