Support for CORS preflight

[danielrohe]

Is your feature request related to a problem? Please describe.

Currently skipper only supports setting the CORS origin on the response but CORS also requires a preflight request (OPTIONS request) in certain cases (non form-based requests). I want skipper to handle CORS preflight requests.

Describe the solution you would like

The solution should provide a skipper filter corsPreflight similar to the corsOrigin filter. The corsPreflight filter should be configurable allowing users to set the response headers Access-Control-Allow-Origin, Access-Control-Allow-Methods and Access-Control-Allow-Headers. If they are not set meaningful defaults are used, i.e. Access-Control-Allow-Origin = *, Access-Control-Allow-Methods = GET, POST, PUT, DELETE, PATCH, OPTIONS and Access-Control-Allow-Headers = *.

The filter should only work on requests with method OPTIONS. When executed the filter should set the response headers as configured and the status to 200 and return this response. It should not forward the request to the backend.

Would you like to work on it?

Yes, but no time.

[AlexanderYastrebov]

Related to #595 and #559.

Will this filter do anything that is not currently possible with combination of existing predicates and filters?

[danielrohe]

Using predicates and filters would make writing routing rules much more complex as people would have to maintain at least two different routes, one for the original request and a second one for the preflight-request. Especially when other filters are included this would increase maintenance more compared to having a filter on the same route that handles CORS preflight requests directly.

[szuecs]

@danielrohe can you show some example configuration in the description of the issue? Thanks

[danielrohe]

without this filter developers will always have to define two routes and an additional shunt backend.

- pathSubtree: /something
  filters:
  - corsOrigin
  - oauthTokenInfoScopes("uid")
- pathSubtree: /something
  predicates:
  - Method("OPTIONS")
  filters:
  - setResponseHeader("Access-Control-Allow-Origin", "*")
  - setResponseHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
  - setResponseHeader("Access-Control-Allow-Headers", "*")
  - status(200)
  backend:
    name: theShunt

with this filter it will just be the one route

- pathSubtree: /something
  filters:
  - corsOrigin
  - corsPreflight
  - oauthTokenInfoScopes("uid")

this reduces the code to write quite heavily and makes the whole routing configuration much more readable.