openstax_api 5.5.0 → 5.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b516a7b480a4b886c0e156b8e2056f2d777d4c11
-  data.tar.gz: b606dd4bc73814c91bc87aef95d1d789e2787f5b
+  metadata.gz: 2d8f7e030eb103725527b3e6b056169ce47e0cd2
+  data.tar.gz: d1f3cc36a20300fb330d94578e67d032afdf3a8b
 SHA512:
-  metadata.gz: aae51bbafed8a9f24cc16d73ff5f6cfb756be3353fd840b37d9b3cfd9060369ee45f683b4b05933730d79bf6c6a30024c7c3b4609db00531567ab80d55c9340a
-  data.tar.gz: 38fc0194a381b0b49f7a38bd47b8484eaca65207cdcaa2cd62f019910c3226c58c3ac6574cbafef5fb9e1cd5f8330d2e82aa012f1bc3f485bf619913fad6b2a0
+  metadata.gz: 98f85a898b830672a936c98876cfa54838a4efca1f7421d6080da4cc2c728c5154ca6418dfc5c74f4eb6c30b5e40cf7819875f8dea89216e8b391b27a3cb854e
+  data.tar.gz: f2e0db018b2bb2e77e3304bfc0d3864e477e2c72b959bf32edd1b7da1a790b734e1becd0e407dbdd258fbf4761290dbefde080bdc276abcddbc883548e85c22c

data/app/controllers/openstax/api/v1/api_controller.rb

@@ -22,8 +22,9 @@ module OpenStax
 
         # Except for users logged in via a cookie, we can disable CSRF protection and enable CORS
         skip_before_filter :verify_authenticity_token, unless: :session_user?
-        before_filter :set_cors_preflight_headers, unless: :session_user?
-        after_filter :set_cors_headers, unless: :session_user?
+        skip_before_filter :verify_authenticity_token, only: :options
+        before_filter :set_cors_preflight_headers, only: :options
+        after_filter :set_cors_headers
 
         # Keep old current_user method so we can use it
         alias_method :current_session_user, OpenStax::Api.configuration.current_user_method
@@ -44,6 +45,10 @@ module OpenStax
           current_api_user.human_user
         end
 
+        def options
+          head :ok
+        end
+
         protected
 
         def session_user?
@@ -68,13 +73,9 @@ module OpenStax
         end
 
         def set_cors_preflight_headers
-          if request.method == 'OPTIONS'
-            headers['Access-Control-Allow-Origin'] = '*'
-            headers['Access-Control-Allow-Methods'] = 'GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS'
-            headers['Access-Control-Max-Age'] = '1728000'
-
-            render :text => '', :content_type => 'text/plain'
-          end
+          headers['Access-Control-Allow-Origin'] = '*'
+          headers['Access-Control-Allow-Methods'] = 'GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS'
+          headers['Access-Control-Max-Age'] = '86400'
         end
 
         def set_cors_headers

data/lib/openstax/api/routing_mapper_includes.rb

@@ -7,18 +7,16 @@ module OpenStax
         api_namespace = (options.delete(:namespace) || 'api').to_s
         routing_error_app = options.delete(:routing_error_app) || \
                               OpenStax::Api.configuration.routing_error_app
-        constraints = Constraints.new(version: version,
-                                      default: options.delete(:default))
+        constraints = Constraints.new(version: version, default: options.delete(:default))
 
         namespace api_namespace, defaults: {format: 'json'}.merge(options) do
-          scope(except: [:new, :edit],
-                module: version,
-                constraints: constraints) do
-            get '/', to: '/apipie/apipies#index', defaults: {format: 'html', version: version.to_s}
+          scope(except: [:new, :edit], module: version, constraints: constraints) do
+            root to: '/apipie/apipies#index', defaults: {format: 'html', version: version.to_s}
 
             yield
 
-            match '/*other', via: [:get, :post, :put, :patch, :delete], to: routing_error_app
+            match '/*options', via: [:options], to: '/openstax/api/v1/api#options'
+            match '/*other', via: [:all], to: routing_error_app
           end
         end
       end
@@ -26,5 +24,4 @@ module OpenStax
   end
 end
 
-ActionDispatch::Routing::Mapper.send :include,
-                                     OpenStax::Api::RoutingMapperIncludes
+ActionDispatch::Routing::Mapper.send :include, OpenStax::Api::RoutingMapperIncludes

data/lib/openstax/api/version.rb

@@ -1,5 +1,5 @@
 module OpenStax
   module Api
-    VERSION = "5.5.0"
+    VERSION = "5.5.1"
   end
 end

data/spec/controllers/openstax/api/v1/api_controller_spec.rb

@@ -116,6 +116,7 @@ module OpenStax
           it 'sets the CORS headers for anonymous users' do
             get 'dummy'
             expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
+            expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
           end
 
           it 'sets the CORS headers for token users' do
@@ -123,12 +124,14 @@ module OpenStax
             @request.headers['Authorization'] = "Bearer #{token}"
             get 'dummy'
             expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
+            expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
           end
 
-          it 'does not set the CORS headers for session users' do
+          it 'sets the CORS headers for session users (the browser should block the request due to no Access-Control-Allow-Credentials header)' do
             @controller.present_user = user
             get 'dummy'
-            expect(response.headers['Access-Control-Allow-Origin']).to be_nil
+            expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
+            expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
           end
         end