rack-cors 0.1.1 → 0.2.0

data/README.rdoc

@@ -19,14 +19,18 @@ Install the gem:
 
 You configure Rack::Cors by passing a block to the <tt>use</tt> command:
 
-  use Rack::Cors do |config|
-    config.allow do |allow|
+  use Rack::Cors do |cfg|
+    cfg.allow do |allow|
       allow.origins 'localhost:3000', '127.0.0.1:3000'
 
       allow.resource '/file/list_all/', :headers => 'x-domain-token'
-
       allow.resource '/file/at/*',
           :methods => [:get, :post, :put, :delete],
           :headers => 'x-domain-token'
     end
+
+    cfg.allow do |allow|
+      allow.origins '*'
+      allow.resource '/public/*', :headers => :any, :methods => :get
+    end
   end

data/VERSION

@@ -1 +1 @@
-0.1.1
+0.2.0

data/lib/rack/cors.rb

@@ -1,8 +1,10 @@
+require 'logger'
+
 module Rack
   class Cors
-
-    def initialize(app)
+    def initialize(app, opts={})
       @app = app
+      @logger = opts[:logger]
       yield self if block_given?
     end
 
@@ -14,11 +16,24 @@ module Rack
     def call(env)
       cors_headers = nil
       if env['HTTP_ORIGIN']
+        debug(env) do
+          [ 'Incoming Headers:',
+            "  Origin: #{env['HTTP_ORIGIN']}",
+            "  Access-Control-Request-Method: #{env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']}",
+            "  Access-Control-Request-Headers: #{env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"
+            ].join("\n")
+        end
         if env['REQUEST_METHOD'] == 'OPTIONS'
-          headers = process_preflight(env)
-          return [200, headers, []] if headers
+          if headers = process_preflight(env)
+            debug(env) do
+              "Preflight Headers:\n" +
+                  headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
+            end
+            return [200, headers, []]
+          end
+        else
+          cors_headers = process_cors(env)
         end
-        cors_headers = process_cors(env)
       end
       status, headers, body = @app.call env
       headers = headers.merge(cors_headers) if cors_headers
@@ -26,13 +41,20 @@ module Rack
     end
 
     protected
+      def debug(env, message = nil, &block)
+        logger = @logger || env['rack.logger'] || begin
+          @logger = ::Logger.new(STDOUT).tap {|logger| logger.level = ::Logger::Severity::DEBUG}
+        end
+        logger.debug(message, &block)
+      end
+
       def all_resources
         @all_resources ||= []
       end
 
       def process_preflight(env)
         resource = find_resource(env['HTTP_ORIGIN'], env['PATH_INFO'])
-        resource.to_preflight_headers(env) if resource
+        resource && resource.process_preflight(env)
       end
 
       def process_cors(env)
@@ -47,20 +69,34 @@ module Rack
 
       class Resources
         def initialize
-          @origins   = []
+          @origins = []
           @resources = []
+          @public_resources = false
         end
 
         def origins(*args)
-          @origins = args.flatten.collect{|n| "http://#{n}" unless n.match(/^https?:\/\//)}
+          @origins = args.flatten.collect do |n|
+            case n
+            when /^https?:\/\// then n
+            when '*'
+              @public_resources = true
+              n
+            else
+              "http://#{n}"
+            end
+          end
         end
 
         def resource(path, opts={})
-          @resources << Resource.new(path, opts)
+          @resources << Resource.new(public_resources?, path, opts)
+        end
+
+        def public_resources?
+          @public_resources
         end
 
         def allow_origin?(source)
-          @origins.include?(source)
+          public_resources? || @origins.include?(source)
         end
 
         def find_resource(path)
@@ -71,36 +107,70 @@ module Rack
       class Resource
         attr_accessor :path, :methods, :headers, :max_age, :credentials, :pattern
 
-        def initialize(path, opts = {})
+        def initialize(public_resource, path, opts={})
           self.path        = path
           self.methods     = ensure_enum(opts[:methods]) || [:get]
           self.credentials = opts[:credentials] || true
-          self.headers     = ensure_enum(opts[:headers]) || nil
           self.max_age     = opts[:max_age] || 1728000
           self.pattern     = compile(path)
+          @public_resource = public_resource
+
+          self.headers = case opts[:headers]
+          when :any then :any
+          when nil then nil
+          else
+            [opts[:headers]].flatten.collect{|h| h.downcase}
+          end
         end
 
         def match?(path)
           pattern =~ path
         end
 
-        def to_headers(env)
-          { 'Access-Control-Allow-Origin'       => env['HTTP_ORIGIN'],
-            'Access-Control-Allow-Methods'      => methods.collect{|m| m.to_s.upcase}.join(', '),
-            'Access-Control-Allow-Credentials'  => credentials.to_s,
-            'Access-Control-Max-Age'            => max_age.to_s }
+        def process_preflight(env)
+          return nil if invalid_method_request?(env) || invalid_headers_request?(env)
+          to_preflight_headers(env)
         end
 
-        def to_preflight_headers(env)
-          h = to_headers(env)
-          h.merge!('Access-Control-Allow-Headers' => headers.join(', ')) if headers
+        def to_headers(env)
+          h = { 'Access-Control-Allow-Origin' => public_resource? ? '*' : env['HTTP_ORIGIN'],
+            'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
+            'Access-Control-Max-Age'          => max_age.to_s }
+          h['Access-Control-Allow-Credentials'] = 'true' if credentials
           h
         end
 
         protected
+          def public_resource?
+            @public_resource
+          end
+
+          def to_preflight_headers(env)
+            h = to_headers(env)
+            if env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
+              h.merge!('Access-Control-Allow-Headers' => env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])
+            end
+            h
+          end
+
+          def invalid_method_request?(env)
+            request_method = env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
+            request_method.nil? || !methods.include?(request_method.downcase.to_sym)
+          end
+
+          def invalid_headers_request?(env)
+            request_headers = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
+            request_headers && !allow_headers?(request_headers)
+          end
+
+          def allow_headers?(request_headers)
+            return false if headers.nil?
+            headers == :any || !request_headers.detect{|h| !headers.include?(h.downcase)}
+          end
+
           def ensure_enum(v)
             return nil if v.nil?
-            [v] unless v.respond_to?(:join)
+            [v].flatten
           end
 
           def compile(path)

data/rack-cors.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{rack-cors}
-  s.version = "0.1.1"
+  s.version = "0.2.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Calvin Yu"]
-  s.date = %q{2010-06-02}
+  s.date = %q{2010-06-08}
   s.email = %q{csyu77@gmail.com}
   s.extra_rdoc_files = [
     "README.rdoc"
@@ -20,13 +20,18 @@ Gem::Specification.new do |s|
      "Rakefile",
      "VERSION",
      "lib/rack/cors.rb",
-     "rack-cors.gemspec"
+     "rack-cors.gemspec",
+     "test/cors_test.rb",
+     "test/test.ru"
   ]
   s.homepage = %q{http://github.com/cyu/rack-cors}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{Middleware for enabling Cross-Origin Resource Sharing in Rack apps}
+  s.test_files = [
+    "test/cors_test.rb"
+  ]
 
   if s.respond_to? :specification_version then
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION

data/test/cors_test.rb

@@ -0,0 +1,80 @@
+require 'rubygems'
+require 'rack/test'
+require 'shoulda'
+
+Rack::Test::Session.class_eval do
+  def options(uri, params = {}, env = {}, &block)
+    env = env_for(uri, env.merge(:method => "OPTIONS", :params => params))
+    process_request(uri, env, &block)
+  end  
+end
+
+Rack::Test::Methods.class_eval do
+  def_delegator :current_session, :options
+end
+
+class CorsTest < Test::Unit::TestCase
+  include Rack::Test::Methods
+
+  def app
+    eval "Rack::Builder.new {( " + File.read(File.dirname(__FILE__) + '/test.ru') + "\n )}"
+  end
+
+  context 'preflight requests' do
+    should 'fail if origin is invalid' do
+      preflight_request('http://allyourdataarebelongtous.com', '/')
+      assert_preflight_failure
+    end
+
+    should 'fail if Access-Control-Request-Method does not exist' do
+      preflight_request('http://localhost:3000', '/', :method => nil)
+      assert_preflight_failure
+    end
+
+    should 'fail if Access-Control-Request-Method is not allowed' do
+      preflight_request('http://localhost:3000', '/get-only', :method => :post)
+      assert_preflight_failure
+    end
+
+    should 'fail if header is not allowed' do
+      preflight_request('http://localhost:3000', '/single_header', :headers => 'Fooey')
+      assert_preflight_failure
+    end
+
+    should 'allow any header if headers = :any' do
+      preflight_request('http://localhost:3000', '/', :headers => 'Fooey')
+      assert_preflight_success
+    end
+
+    should 'allow header case insensitive match' do
+      preflight_request('http://localhost:3000', '/single_header', :headers => 'X-Domain-Token')
+      assert_preflight_success
+    end
+
+    should '* origin should allow any origin' do
+      preflight_request('http://locohost:3000', '/public')
+      assert_preflight_success
+      assert_equal '*', last_response.headers['Access-Control-Allow-Origin']
+    end
+  end
+
+  protected
+    def preflight_request(origin, path, opts = {})
+      header 'Origin', origin
+      unless opts.key?(:method) && opts[:method].nil?
+        header 'Access-Control-Request-Method', opts[:method] ? opts[:method].to_s.upcase : 'GET'
+      end
+      if opts[:headers]
+        header 'Access-Control-Request-Headers', [opts[:headers]].flatten.join(', ')
+      end
+      options path
+    end
+
+    def assert_preflight_success
+      assert_not_nil last_response.headers['Access-Control-Allow-Origin']
+    end
+
+    def assert_preflight_failure
+      assert_nil last_response.headers['Access-Control-Allow-Origin']
+    end
+end

data/test/test.ru

@@ -0,0 +1,24 @@
+require 'rack/cors'
+
+use Rack::Cors do |cfg|
+  cfg.allow do |allow|
+    allow.origins 'localhost:3000', '127.0.0.1:3000'
+
+    allow.resource '/get-only', :methods => :get
+    allow.resource '/', :headers => :any
+    allow.resource '/single_header', :headers => 'x-domain-token'
+    # allow.resource '/file/at/*',
+    #     :methods => [:get, :post, :put, :delete],
+    #     :headers => :any,
+    #     :max_age => 0
+  end
+
+  cfg.allow do |allow|
+    allow.origins '*'
+    allow.resource '/public'
+  end
+end
+
+map '/' do
+  run Proc.new { |env| [200, {'Content-Type' => 'text/html'}, ['success']] }
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack-cors
 version: !ruby/object:Gem::Version 
-  hash: 25
+  hash: 23
   prerelease: false
   segments: 
   - 0
-  - 1
-  - 1
-  version: 0.1.1
+  - 2
+  - 0
+  version: 0.2.0
 platform: ruby
 authors: 
 - Calvin Yu
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-06-02 00:00:00 -04:00
+date: 2010-06-08 00:00:00 -04:00
 default_executable: 
 dependencies: []
 
@@ -34,6 +34,8 @@ files:
 - VERSION
 - lib/rack/cors.rb
 - rack-cors.gemspec
+- test/cors_test.rb
+- test/test.ru
 has_rdoc: true
 homepage: http://github.com/cyu/rack-cors
 licenses: []
@@ -68,5 +70,5 @@ rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Middleware for enabling Cross-Origin Resource Sharing in Rack apps
-test_files: []
-
+test_files: 
+- test/cors_test.rb