CORS added for cross-site requests and readme updated

README.md

@@ -56,6 +56,8 @@ To use an older version of ElasticSearch please download the data from [here](ht
 
 Check the URL `http://localhost:2322/api?q=berlin` to see if photon is running without problems. You may want to use our [leaflet plugin](https://github.com/komoot/leaflet.photon) to see the results on a map.
 
+To enable CORS (cross-site requests), use `-cors-any` to allow any origin or `-cors-origin` with a specific origin as the argument. By default, CORS support is disabled.
+
 discover more of photon's feature with its usage `java -jar photon-*.jar -h`.
 
 

src/main/java/de/komoot/photon/App.java

@@ -6,6 +6,7 @@
 import de.komoot.photon.elasticsearch.Server;
 import de.komoot.photon.nominatim.NominatimConnector;
 import de.komoot.photon.nominatim.NominatimUpdater;
+import de.komoot.photon.utils.CorsFilter;
 import lombok.extern.slf4j.Slf4j;
 import org.elasticsearch.client.Client;
 import spark.Request;
@@ -26,6 +27,9 @@ public static void main(String[] rawArgs) throws Exception {
         final JCommander jCommander = new JCommander(args);
         try {
             jCommander.parse(rawArgs);
+            if (args.isCorsAnyOrigin() && args.getCorsOrigin() != null) { // these are mutually exclusive
+                throw new ParameterException("Use only one cors configuration type");
+            }
         } catch (ParameterException e) {
             log.warn("could not start photon: " + e.getMessage());
             jCommander.usage();
@@ -134,9 +138,18 @@ private static void startNominatimImport(CommandLineArgs args, Server esServer,
      * @param esNodeClient
      */
     private static void startApi(CommandLineArgs args, Client esNodeClient) {
-        setPort(args.getListenPort());
-        setIpAddress(args.getListenIp());
-
+        port(args.getListenPort());
+        ipAddress(args.getListenIp());
+
+        String allowedOrigin = args.isCorsAnyOrigin() ? "*" : args.getCorsOrigin();
+        if (allowedOrigin != null) {
+            CorsFilter.enableCORS(allowedOrigin, "get", "*");
+        } else {
+            before((request, response) -> {
+                response.type("application/json"); // in the other case set by enableCors
+            });
+        }
+
         // setup search API
         get("api", new SearchRequestHandler("api", esNodeClient, args.getLanguages()));
         get("api/", new SearchRequestHandler("api/", esNodeClient, args.getLanguages()));

src/main/java/de/komoot/photon/CommandLineArgs.java

@@ -56,6 +56,12 @@ public class CommandLineArgs {
     @Parameter(names = "-listen-ip", description = "listen to address (default '0.0.0.0')")
     private String listenIp = "0.0.0.0";
 
+    @Parameter(names = "-cors-any", description = "enable cross-site resource sharing foe any origin ((default CORS not supported)")
+    private boolean corsAnyOrigin = false;
+
+    @Parameter(names = "-cors-origin", description = "enable cross-site resource sharing for the specified origin (default CORS not supported)")
+    private String corsOrigin = null;
+
     @Parameter(names = "-h", description = "show help / usage")
     private boolean usage = false;
 }

src/main/java/de/komoot/photon/ReverseSearchRequestHandler.java

@@ -49,8 +49,6 @@ public String handle(Request request, Response response) {
         ReverseRequestHandler<R> handler = requestHandlerFactory.createHandler(photonRequest);
         List<JSONObject> results = handler.handle(photonRequest);
         JSONObject geoJsonResults = geoJsonConverter.convert(results);
-        response.type("application/json; charset=utf-8");
-        response.header("Access-Control-Allow-Origin", "*");
         if (request.queryParams("debug") != null)
             return geoJsonResults.toString(4);
 

src/main/java/de/komoot/photon/SearchRequestHandler.java

@@ -49,11 +49,9 @@ public String handle(Request request, Response response) {
         PhotonRequestHandler<R> handler = requestHandlerFactory.createHandler(photonRequest);
         List<JSONObject> results = handler.handle(photonRequest);
         JSONObject geoJsonResults = geoJsonConverter.convert(results);
-        response.type("application/json; charset=utf-8");
-        response.header("Access-Control-Allow-Origin", "*");
         if (request.queryParams("debug") != null)
             return geoJsonResults.toString(4);
 
         return geoJsonResults.toString();
     }
-}
+}

src/main/java/de/komoot/photon/utils/CorsFilter.java

@@ -0,0 +1,42 @@
+package de.komoot.photon.utils;
+
+import static spark.Spark.before;
+import static spark.Spark.options;
+
+public class CorsFilter {
+
+    // 
+    /**
+     * Enables CORS on requests. This method is an initialization method and should be called once.
+     * 
+     * As a side effect this sets the content type for the response to "application/json"
+     * 
+     * @param origin permitted origin
+     * @param methods permitted methods comma separated
+     * @param headers permitted headers comma separated
+     */
+    public static void enableCORS(final String origin, final String methods, final String headers) {
+
+        options("/*", (request, response) -> {
+
+            String accessControlRequestHeaders = request.headers("Access-Control-Request-Headers");
+            if (accessControlRequestHeaders != null) {
+                response.header("Access-Control-Allow-Headers", accessControlRequestHeaders);
+            }
+
+            String accessControlRequestMethod = request.headers("Access-Control-Request-Method");
+            if (accessControlRequestMethod != null) {
+                response.header("Access-Control-Allow-Methods", accessControlRequestMethod);
+            }
+
+            return "OK";
+        });
+
+        before((request, response) -> {
+            response.header("Access-Control-Allow-Origin", origin);
+            response.header("Access-Control-Request-Method", methods);
+            response.header("Access-Control-Allow-Headers", headers);
+            response.type("application/json");
+        });
+    }
+}