Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make CORS configurable #66

Closed
chillu opened this issue Feb 1, 2017 · 5 comments
Closed

Make CORS configurable #66

chillu opened this issue Feb 1, 2017 · 5 comments
Labels
affects/v4 type/enhancement

Comments

@chillu
Copy link
Member

chillu commented Feb 1, 2017
edited
Loading

GraphQL APIs will be consumed by third party apps on other hosts, e.g. sending XHR requests from your custom web app to a centralised SaaS solution running a SilverStripe-powered GraphQL endpoint. This requires Cross Origin Resource Sharing

See https://github.com/colymba/silverstripe-restfulapi/blob/master/doc/RESTfulAPI.md#cors for an example.
@PapaBearNZ
Copy link
Contributor

PapaBearNZ commented Feb 2, 2017
edited
Loading

First draft of patch for this issue is up on my fork https://github.com/PapaBearNZ/silverstripe-graphql

Patch adds Yaml config for CORS to the graphql module. Also adds a check for the pre-flight OPTIONS request, and if CORS is enabled, adds the appropriate headers to the response object - both for the OPTIONS response and for the actual data response.

No unit tests as yet.

Looking for suggestions and comments on improvements.

One concern is the 301 redirect from SS to get around the fact that the module folder and the graphql endpoint are the same name. This redirect breaks CORS pre-flight. I suggest that the module folder be renamed to silverstripe-graphql but I realise that this may not be possible for other reasons of which I'm not aware.

@chillu
Copy link
Member Author

chillu commented Feb 2, 2017
edited
Loading

Looks great :) A few comments:

  • processCorsConfig() would be better named as getCorsResponse()
  • Can you add this to the README please? :)
  • Tests - but you've already noted that on the chat, heh
  • Needs default YAML config
  • Should default to an empty string for Allow-Origin, so we don't inadvertendly open up installs to the world via *
  • Access-Control-Allow-Headers should only contain GET and POST. The other REST verbs aren't happed for GraphQL
  • The 86400 default should be in the default YAML config, not hardcoded in the logic

I've fixed the 301 redirect, see silverstripe/silverstripe-installer#152

@PapaBearNZ
Copy link
Contributor

Thanks Ingo.

Regarding the allow headers . I think we still need the OPTIONS method as well. Otherwise won't the request bounce?

Understood about the YAML default config and I agree with the suggestion of defaulting to denied rather than open. I used '*' because that's what the REST module used but denied is a safer default. I'll make the appropriate changes and hopefully have a PR ready later today.

Thanks for the work on the redirect issue. I'll update and test that.

Regarding the README - no problem there. However, the docs are getting pretty big. Is this going to be updated and pushed to docs/en?

PapaBearNZ pushed a commit to PapaBearNZ/silverstripe-graphql that referenced this issue Feb 2, 2017
Issue silverstripe#66: Moved default CORS config into YAML.
b213f33
PapaBearNZ pushed a commit to PapaBearNZ/silverstripe-graphql that referenced this issue Feb 6, 2017
API Added CORS pre-flight handler (fixes silverstripe#66)
6f15902 
Added getCorsResponse() to GraphQL to detect a CORS preflight OPTIONS request and append the correct headers. Also checks the origin is an allowed domain for cross-origin requests. Included unittests for invalid origin, valid origin, OPTIONS request type.
@PapaBearNZ
Copy link
Contributor

#69 PR submitted.

@PapaBearNZ PapaBearNZ mentioned this issue Feb 7, 2017
Merged
PapaBearNZ pushed a commit to PapaBearNZ/silverstripe-graphql that referenced this issue Feb 9, 2017
API Added CORS pre-flight handler (fixes silverstripe#66)
aa1576f 
Added getCorsResponse() to GraphQL to detect a CORS preflight OPTIONS request and append the correct headers. Also checks the origin is an allowed domain for cross-origin requests. Included unittests for invalid origin, valid origin, OPTIONS request type.
PapaBearNZ pushed a commit to PapaBearNZ/silverstripe-graphql that referenced this issue Feb 9, 2017
FEATURE: CORS Request Handler (silverstripe#66)
9dbbf99 
* Added addCorsHeaders() function to append appropriate headers to response
  if necessary.
* Added cors section to SilverStripe\GraphQL config object.
* Added UnitTests.
* Added README documentation for CORS handling.
PapaBearNZ pushed a commit to PapaBearNZ/silverstripe-graphql that referenced this issue Feb 9, 2017
FEATURE: CORS Request Handler (silverstripe#66)
cc0a672 
    * Added addCorsHeaders() function to append appropriate headers to response
      if necessary.
    * Added cors section to SilverStripe\GraphQL config object.
    * Added UnitTests.
    * Added README documentation for CORS handling.
chillu pushed a commit that referenced this issue Feb 9, 2017
@PapaBearNZ @chillu
FEATURE: CORS Request Handler (#66) (#69)
f2190da 
* Added addCorsHeaders() function to append appropriate headers to response
      if necessary.
    * Added cors section to SilverStripe\GraphQL config object.
    * Added UnitTests.
    * Added README documentation for CORS handling.
@tractorcow
Copy link
Contributor

Looks like this was fixed with #69 not sure why it's still open.

@flamerohr flamerohr mentioned this issue Jan 22, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects/v4 type/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chillu @PapaBearNZ @tractorcow