apia 3.4.0 → 3.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f40c9dba04e5b064ced8833f9edb42f96efd59c9d4e9342a4fa6535a1e76c6ee
-  data.tar.gz: 2506e79260735d3c2029ac7eaa9733e481b975b177506f03fcdeba21760b8781
+  metadata.gz: 655dd00a146e4b25e600c926b0b57f160b8eb22d5908f0a7617c5c69d2781867
+  data.tar.gz: 57e7d53b19ed835966326bea22228b873218865505823ebf5cc13c3694274d30
 SHA512:
-  metadata.gz: 7ae74d9f396b7dda8d14513d072f3e7f0902724c5b3e8bd0a430341f8d1e91dd83e4e6aae0b377dc954e3f248c5da7ba3984da354202fa42043c1e5d8d0e5ba7
-  data.tar.gz: 7e735b6a11cfc48325cd60ce0d01a36cb9eb776afeb2b74c3efe8de034b02413df3c8cec149b9ffa0883af4c85d4f631d7cc9f67e63c169e3fbcaeb4d0dbe517
+  metadata.gz: 16961608a1f749b7dea60e91b26a475fe2079f1c80b0535216a2a4551d8d481298733b33c304d6c6e2dd2811f253011d991fc234e42186e945f778ff7f595738
+  data.tar.gz: b611dd81deba0c3114af55c1fd3a8605ae5a4eb746730ba1d19b27f7b95302857962abbc2e7e2c7f7c4b59f4b1cf7bfffc87a440db3f396c350be4b9eb8f3d0a

data/lib/apia/cors.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Apia
+  class CORS
+
+    attr_accessor :methods
+    attr_accessor :headers
+    attr_accessor :origin
+
+    def initialize
+      @origin = '*'
+      @methods = '*'
+      @headers = []
+    end
+
+    def to_headers
+      return {} if @origin.nil?
+
+      headers = {}
+      headers['Access-Control-Allow-Origin'] = @origin
+
+      if @methods.is_a?(String)
+        headers['Access-Control-Allow-Methods'] = @methods
+      elsif @methods.is_a?(Array) && @methods.any?
+        headers['Access-Control-Allow-Methods'] = @methods.map(&:upcase).join(', ')
+      end
+
+      if @headers.is_a?(String)
+        headers['Access-Control-Allow-Headers'] = @headers
+      elsif @headers.is_a?(Array) && @headers.any?
+        headers['Access-Control-Allow-Headers'] = @headers.join(', ')
+      end
+
+      headers
+    end
+
+  end
+end

data/lib/apia/endpoint.rb

@@ -48,10 +48,23 @@ module Apia
         environment = RequestEnvironment.new(request, response)
 
         catch_errors(response) do
-          # Determine an authenticator and execute it before the request happens
+          # Determine an authenticator for this endpoint
           request.authenticator = definition.authenticator || request.controller&.definition&.authenticator || request.api&.definition&.authenticator
+
+          # Execute the authentication before the request happens
           request.authenticator&.execute(environment)
 
+          # Add the CORS headers to the response before the endpoint is called. The endpoint
+          # cannot influence the CORS headers.
+          response.headers.merge!(environment.cors.to_headers)
+
+          # OPTIONS requests always return 200 OK and no body.
+          if request.options?
+            response.status = 200
+            response.body = ''
+            return response
+          end
+
           # Determine if we're permitted to run the action based on the endpoint's scopes
           if request.authenticator && !request.authenticator.authorized_scope?(environment, definition.scopes)
             environment.raise_error Apia::ScopeNotGrantedError, scopes: definition.scopes

data/lib/apia/rack.rb

@@ -65,9 +65,7 @@ module Apia
 
       api_path = Regexp.last_match(1)
 
-      triplet = handle_request(env, api_path)
-      add_cors_headers(env, triplet)
-      triplet
+      handle_request(env, api_path)
     end
 
     private
@@ -77,15 +75,12 @@ module Apia
       request_method = env['REQUEST_METHOD'].upcase
       notify_hash = { api: api, env: env, path: api_path, method: request_method }
 
-      if request_method.upcase == 'OPTIONS'
-        return [204, {}, ['']]
-      end
-
       Apia::Notifications.notify(:request_start, notify_hash)
 
       validate_api if development?
 
-      route = find_route(request_method, api_path)
+      access_control_request_method = env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']&.upcase if request_method == 'OPTIONS'
+      route = find_route((access_control_request_method || request_method), api_path)
       if route.nil?
         Apia::Notifications.notify(:request_route_not_found, notify_hash)
         raise RackError.new(404, 'route_not_found', "No route matches '#{api_path}' for #{request_method}")
@@ -155,21 +150,6 @@ module Apia
       )
     end
 
-    # Add cross origin headers to the response triplet
-    #
-    # @param env [Hash]
-    # @param triplet [Array]
-    # @return [void]
-    def add_cors_headers(env, triplet)
-      triplet[1]['Access-Control-Allow-Origin'] = '*'
-      triplet[1]['Access-Control-Allow-Methods'] = '*'
-      if env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-        triplet[1]['Access-Control-Allow-Headers'] = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-      end
-
-      true
-    end
-
     class << self
 
       # Return a JSON-ready triplet for the given body.

data/lib/apia/request_environment.rb

@@ -2,6 +2,7 @@
 
 require 'apia/environment_error_handling'
 require 'apia/errors/invalid_helper_error'
+require 'apia/cors'
 
 module Apia
   class RequestEnvironment
@@ -74,6 +75,10 @@ module Apia
       @response.add_field :pagination, pagination_info
     end
 
+    def cors
+      @cors ||= CORS.new
+    end
+
     private
 
     def potential_error_sources

data/lib/apia/version.rb

@@ -2,6 +2,6 @@
 
 module Apia
 
-  VERSION = '3.4.0'
+  VERSION = '3.5.1'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apia
 version: !ruby/object:Gem::Version
-  version: 3.4.0
+  version: 3.5.1
 platform: ruby
 authors:
 - Adam Cooke
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-05-15 00:00:00.000000000 Z
+date: 2023-11-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -51,6 +51,7 @@ files:
 - lib/apia/authenticator.rb
 - lib/apia/callable_with_environment.rb
 - lib/apia/controller.rb
+- lib/apia/cors.rb
 - lib/apia/deep_merge.rb
 - lib/apia/defineable.rb
 - lib/apia/definition.rb