"Truly manual" API (#22)
* Experimental "truly manual" API * Add API for general usage * Add documentation and example Change Fn to FnOnce to allow for moving and consuming
This commit is contained in:
parent
7d26aeb795
commit
92d7775b93
|
@ -1,4 +1,4 @@
|
||||||
#![feature(plugin, custom_derive)]
|
#![feature(plugin)]
|
||||||
#![plugin(rocket_codegen)]
|
#![plugin(rocket_codegen)]
|
||||||
extern crate rocket;
|
extern crate rocket;
|
||||||
extern crate rocket_cors;
|
extern crate rocket_cors;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#![feature(plugin, custom_derive)]
|
#![feature(plugin)]
|
||||||
#![plugin(rocket_codegen)]
|
#![plugin(rocket_codegen)]
|
||||||
extern crate rocket;
|
extern crate rocket;
|
||||||
extern crate rocket_cors;
|
extern crate rocket_cors;
|
||||||
|
@ -23,7 +23,7 @@ fn responder_options(cors: Guard) -> Responder<()> {
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Using a `Response` instead of a `Responder`. You generally won't have to do this.
|
/// Using a `Response` instead of a `Responder`. You generally won't have to do this.
|
||||||
#[get("/responder")]
|
#[get("/response")]
|
||||||
fn response(cors: Guard) -> Response {
|
fn response(cors: Guard) -> Response {
|
||||||
let mut response = Response::new();
|
let mut response = Response::new();
|
||||||
response.set_sized_body(Cursor::new("Hello CORS!"));
|
response.set_sized_body(Cursor::new("Hello CORS!"));
|
||||||
|
@ -32,7 +32,7 @@ fn response(cors: Guard) -> Response {
|
||||||
|
|
||||||
/// You need to define an OPTIONS route for preflight checks.
|
/// You need to define an OPTIONS route for preflight checks.
|
||||||
/// These routes can just return the unit type `()`
|
/// These routes can just return the unit type `()`
|
||||||
#[options("/responder")]
|
#[options("/response")]
|
||||||
fn response_options(cors: Guard) -> Response {
|
fn response_options(cors: Guard) -> Response {
|
||||||
let response = Response::new();
|
let response = Response::new();
|
||||||
cors.response(response)
|
cors.response(response)
|
||||||
|
|
|
@ -0,0 +1,94 @@
|
||||||
|
#![feature(plugin, conservative_impl_trait)]
|
||||||
|
#![plugin(rocket_codegen)]
|
||||||
|
extern crate rocket;
|
||||||
|
extern crate rocket_cors;
|
||||||
|
|
||||||
|
use std::io::Cursor;
|
||||||
|
|
||||||
|
use rocket::{State, Response};
|
||||||
|
use rocket::http::Method;
|
||||||
|
use rocket::response::Responder;
|
||||||
|
use rocket_cors::{Cors, AllowedOrigins, AllowedHeaders};
|
||||||
|
|
||||||
|
/// Using a borrowed Cors
|
||||||
|
#[get("/")]
|
||||||
|
fn borrowed<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
options.inner().respond_borrowed(
|
||||||
|
|guard| guard.responder("Hello CORS"),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// You need to define an OPTIONS route for preflight checks.
|
||||||
|
/// These routes can just return the unit type `()`
|
||||||
|
#[options("/")]
|
||||||
|
fn borrowed_options<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
options.inner().respond_borrowed(
|
||||||
|
|guard| guard.responder(()),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Using a `Response` instead of a `Responder`. You generally won't have to do this.
|
||||||
|
#[get("/response")]
|
||||||
|
fn response<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
let mut response = Response::new();
|
||||||
|
response.set_sized_body(Cursor::new("Hello CORS!"));
|
||||||
|
|
||||||
|
options.inner().respond_borrowed(
|
||||||
|
move |guard| guard.response(response),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// You need to define an OPTIONS route for preflight checks.
|
||||||
|
/// These routes can just return the unit type `()`
|
||||||
|
#[options("/response")]
|
||||||
|
fn response_options<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
options.inner().respond_borrowed(
|
||||||
|
move |guard| guard.response(Response::new()),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Create and use an ad-hoc Cors
|
||||||
|
#[get("/owned")]
|
||||||
|
fn owned<'r>() -> impl Responder<'r> {
|
||||||
|
let options = cors_options();
|
||||||
|
options.respond_owned(|guard| guard.responder("Hello CORS"))
|
||||||
|
}
|
||||||
|
|
||||||
|
/// You need to define an OPTIONS route for preflight checks.
|
||||||
|
/// These routes can just return the unit type `()`
|
||||||
|
#[options("/owned")]
|
||||||
|
fn owned_options<'r>() -> impl Responder<'r> {
|
||||||
|
let options = cors_options();
|
||||||
|
options.respond_owned(|guard| guard.responder(()))
|
||||||
|
}
|
||||||
|
|
||||||
|
fn cors_options() -> Cors {
|
||||||
|
let (allowed_origins, failed_origins) = AllowedOrigins::some(&["https://www.acme.com"]);
|
||||||
|
assert!(failed_origins.is_empty());
|
||||||
|
|
||||||
|
// You can also deserialize this
|
||||||
|
rocket_cors::Cors {
|
||||||
|
allowed_origins: allowed_origins,
|
||||||
|
allowed_methods: vec![Method::Get].into_iter().map(From::from).collect(),
|
||||||
|
allowed_headers: AllowedHeaders::some(&["Authorization", "Accept"]),
|
||||||
|
allow_credentials: true,
|
||||||
|
..Default::default()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn main() {
|
||||||
|
rocket::ignite()
|
||||||
|
.mount(
|
||||||
|
"/",
|
||||||
|
routes![
|
||||||
|
borrowed,
|
||||||
|
borrowed_options,
|
||||||
|
response,
|
||||||
|
response_options,
|
||||||
|
owned,
|
||||||
|
owned_options,
|
||||||
|
],
|
||||||
|
)
|
||||||
|
.manage(cors_options())
|
||||||
|
.launch();
|
||||||
|
}
|
320
src/lib.rs
320
src/lib.rs
|
@ -61,7 +61,7 @@
|
||||||
//!
|
//!
|
||||||
//! - Fairing (should only used exclusively)
|
//! - Fairing (should only used exclusively)
|
||||||
//! - Request Guard
|
//! - Request Guard
|
||||||
//! - Truly Manual (not supported yet, [#13](https://github.com/lawliet89/rocket_cors/issues/13))
|
//! - Truly Manual
|
||||||
//!
|
//!
|
||||||
//! Unfortunately, you cannot mix and match Fairing with any other of the methods, due to the
|
//! Unfortunately, you cannot mix and match Fairing with any other of the methods, due to the
|
||||||
//! limitation of Rocket's fairing API. That is, the checks for Fairing will always happen first,
|
//! limitation of Rocket's fairing API. That is, the checks for Fairing will always happen first,
|
||||||
|
@ -213,7 +213,189 @@
|
||||||
//!
|
//!
|
||||||
//! ## Truly Manual
|
//! ## Truly Manual
|
||||||
//!
|
//!
|
||||||
//! This is not supported yet. See [#13](https://github.com/lawliet89/rocket_cors/issues/13).
|
//! This mode is the most difficult to use but offers the most amount of flexibility.
|
||||||
|
//! You might have to understand how the library works internally to know how to use this mode.
|
||||||
|
//! In exchange, you can selectively choose which routes to offer CORS protection to, and you
|
||||||
|
//! can mix and match CORS settings for the routes. You can combine usage of this mode with
|
||||||
|
//! "guard" to offer a mix of ease of use and flexibility.
|
||||||
|
//!
|
||||||
|
//! You really do not need to use this unless you have a truly ad-hoc need to respond to CORS
|
||||||
|
//! differently in a route. For example, you have a `ping` endpoint that allows all origins but
|
||||||
|
//! the rest of your routes do not.
|
||||||
|
//!
|
||||||
|
//! ### Handler
|
||||||
|
//!
|
||||||
|
//! This mode requires that you pass in a closure that will be lazily evaluated once a CORS request
|
||||||
|
//! has been validated. If validation fails, the closure will not be run. You should put any code
|
||||||
|
//! that has any side effects or with an appreciable computation cost inside this handler.
|
||||||
|
//!
|
||||||
|
//! ### Steps to perform:
|
||||||
|
//! - Your crate will need to enable the
|
||||||
|
//! [`conservative_impl_trait`](https://github.com/rust-lang/rfcs/blob/master/text/1522-conservative-impl-trait.md)
|
||||||
|
//! feature. You can use `#![feature(conservative_impl_trait)]` at your crate root.
|
||||||
|
//! Otherwise, the return type of your routes will be unspecifiable.
|
||||||
|
//! - You will first need to have a `Cors` struct ready. This struct can be borrowed with a lifetime
|
||||||
|
//! at least as long as `'r` which is the lifetime of a Rocket request. `'static` works too.
|
||||||
|
//! In this case, you might as well use the `Guard` method above and place the `Cors` struct in
|
||||||
|
//! Rocket's [state](https://rocket.rs/guide/state/).
|
||||||
|
//! Alternatively, you can create a `Cors` struct directly in the route.
|
||||||
|
//! - Your routes will need to have a `'r` lifetime and return `impl Responder<'r>`.
|
||||||
|
//! - Using the `Cors` struct, use either the
|
||||||
|
//! [`respond_owned`](struct.Cors.html#method.respond_owned) or
|
||||||
|
//! [`respond_borrowed`](struct.Cors.html#method.respond_borrowed) function and pass in a handler
|
||||||
|
//! that will be executed once CORS validation is successful.
|
||||||
|
//! - Your handler will be passed a [`Guard`](struct.Guard.html) which you will have to use to
|
||||||
|
//! add CORS headers into your own response.
|
||||||
|
//! - You will have to manually define your own `OPTIONS` routes.
|
||||||
|
//!
|
||||||
|
//! ### Notes about route lifetime
|
||||||
|
//! It is unfortunate that you have to manually specify the `'r` lifetimes in your routes.
|
||||||
|
//! Leaving out the lifetime will result in a
|
||||||
|
//! [compiler panic](https://github.com/rust-lang/rust/issues/43380). Even if the panic is fixed,
|
||||||
|
//! it is not known if we can exclude the lifetime because lifetimes are _elided_ in Rust,
|
||||||
|
//! not inferred.
|
||||||
|
//!
|
||||||
|
//! ### Owned example
|
||||||
|
//! This is the most likely scenario when you want to have manual CORS validation. You can use this
|
||||||
|
//! when the settings you want to use for a route is not the same as the rest of the application
|
||||||
|
//! (which you might have put in Rocket's state).
|
||||||
|
//!
|
||||||
|
//! ```rust,no_run
|
||||||
|
//! #![feature(plugin, conservative_impl_trait)]
|
||||||
|
//! #![plugin(rocket_codegen)]
|
||||||
|
//! extern crate rocket;
|
||||||
|
//! extern crate rocket_cors;
|
||||||
|
//!
|
||||||
|
//! use rocket::http::Method;
|
||||||
|
//! use rocket::response::Responder;
|
||||||
|
//! use rocket_cors::{Cors, AllowedOrigins, AllowedHeaders};
|
||||||
|
//!
|
||||||
|
//! /// Create and use an ad-hoc Cors
|
||||||
|
//! #[get("/owned")]
|
||||||
|
//! fn owned<'r>() -> impl Responder<'r> {
|
||||||
|
//! let options = cors_options();
|
||||||
|
//! options.respond_owned(|guard| guard.responder("Hello CORS"))
|
||||||
|
//! }
|
||||||
|
//!
|
||||||
|
//! /// You need to define an OPTIONS route for preflight checks.
|
||||||
|
//! /// These routes can just return the unit type `()`
|
||||||
|
//! #[options("/owned")]
|
||||||
|
//! fn owned_options<'r>() -> impl Responder<'r> {
|
||||||
|
//! let options = cors_options();
|
||||||
|
//! options.respond_owned(|guard| guard.responder(()))
|
||||||
|
//! }
|
||||||
|
//!
|
||||||
|
//! fn cors_options() -> Cors {
|
||||||
|
//! let (allowed_origins, failed_origins) = AllowedOrigins::some(&["https://www.acme.com"]);
|
||||||
|
//! assert!(failed_origins.is_empty());
|
||||||
|
//!
|
||||||
|
//! // You can also deserialize this
|
||||||
|
//! rocket_cors::Cors {
|
||||||
|
//! allowed_origins: allowed_origins,
|
||||||
|
//! allowed_methods: vec![Method::Get].into_iter().map(From::from).collect(),
|
||||||
|
//! allowed_headers: AllowedHeaders::some(&["Authorization", "Accept"]),
|
||||||
|
//! allow_credentials: true,
|
||||||
|
//! ..Default::default()
|
||||||
|
//! }
|
||||||
|
//! }
|
||||||
|
//!
|
||||||
|
//! fn main() {
|
||||||
|
//! rocket::ignite()
|
||||||
|
//! .mount(
|
||||||
|
//! "/",
|
||||||
|
//! routes![
|
||||||
|
//! owned,
|
||||||
|
//! owned_options,
|
||||||
|
//! ],
|
||||||
|
//! )
|
||||||
|
//! .manage(cors_options())
|
||||||
|
//! .launch();
|
||||||
|
//! }
|
||||||
|
//! ```
|
||||||
|
//!
|
||||||
|
//! ### Borrowed Example
|
||||||
|
//! You might want to borrow the `Cors` struct from Rocket's state, for example. Unless you have
|
||||||
|
//! special handling, you might want to use the Guard method instead which has less hassle.
|
||||||
|
//!
|
||||||
|
//! ```rust,no_run
|
||||||
|
//! #![feature(plugin, conservative_impl_trait)]
|
||||||
|
//! #![plugin(rocket_codegen)]
|
||||||
|
//! extern crate rocket;
|
||||||
|
//! extern crate rocket_cors;
|
||||||
|
//!
|
||||||
|
//! use std::io::Cursor;
|
||||||
|
//!
|
||||||
|
//! use rocket::{State, Response};
|
||||||
|
//! use rocket::http::Method;
|
||||||
|
//! use rocket::response::Responder;
|
||||||
|
//! use rocket_cors::{Cors, AllowedOrigins, AllowedHeaders};
|
||||||
|
//!
|
||||||
|
//! /// Using a borrowed Cors
|
||||||
|
//! #[get("/")]
|
||||||
|
//! fn borrowed<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
//! options.inner().respond_borrowed(
|
||||||
|
//! |guard| guard.responder("Hello CORS"),
|
||||||
|
//! )
|
||||||
|
//! }
|
||||||
|
//!
|
||||||
|
//! /// You need to define an OPTIONS route for preflight checks.
|
||||||
|
//! /// These routes can just return the unit type `()`
|
||||||
|
//! #[options("/")]
|
||||||
|
//! fn borrowed_options<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
//! options.inner().respond_borrowed(
|
||||||
|
//! |guard| guard.responder(()),
|
||||||
|
//! )
|
||||||
|
//! }
|
||||||
|
//!
|
||||||
|
//! /// Using a `Response` instead of a `Responder`. You generally won't have to do this.
|
||||||
|
//! #[get("/response")]
|
||||||
|
//! fn response<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
//! let mut response = Response::new();
|
||||||
|
//! response.set_sized_body(Cursor::new("Hello CORS!"));
|
||||||
|
//!
|
||||||
|
//! options.inner().respond_borrowed(
|
||||||
|
//! move |guard| guard.response(response),
|
||||||
|
//! )
|
||||||
|
//! }
|
||||||
|
//!
|
||||||
|
//! /// You need to define an OPTIONS route for preflight checks.
|
||||||
|
//! /// These routes can just return the unit type `()`
|
||||||
|
//! #[options("/response")]
|
||||||
|
//! fn response_options<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
//! options.inner().respond_borrowed(
|
||||||
|
//! move |guard| guard.response(Response::new()),
|
||||||
|
//! )
|
||||||
|
//! }
|
||||||
|
//!
|
||||||
|
//! fn cors_options() -> Cors {
|
||||||
|
//! let (allowed_origins, failed_origins) = AllowedOrigins::some(&["https://www.acme.com"]);
|
||||||
|
//! assert!(failed_origins.is_empty());
|
||||||
|
//!
|
||||||
|
//! // You can also deserialize this
|
||||||
|
//! rocket_cors::Cors {
|
||||||
|
//! allowed_origins: allowed_origins,
|
||||||
|
//! allowed_methods: vec![Method::Get].into_iter().map(From::from).collect(),
|
||||||
|
//! allowed_headers: AllowedHeaders::some(&["Authorization", "Accept"]),
|
||||||
|
//! allow_credentials: true,
|
||||||
|
//! ..Default::default()
|
||||||
|
//! }
|
||||||
|
//! }
|
||||||
|
//!
|
||||||
|
//! fn main() {
|
||||||
|
//! rocket::ignite()
|
||||||
|
//! .mount(
|
||||||
|
//! "/",
|
||||||
|
//! routes![
|
||||||
|
//! borrowed,
|
||||||
|
//! borrowed_options,
|
||||||
|
//! response,
|
||||||
|
//! response_options,
|
||||||
|
//! ],
|
||||||
|
//! )
|
||||||
|
//! .manage(cors_options())
|
||||||
|
//! .launch();
|
||||||
|
//! }
|
||||||
|
//! ```
|
||||||
|
|
||||||
#![allow(
|
#![allow(
|
||||||
legacy_directory_ownership,
|
legacy_directory_ownership,
|
||||||
|
@ -266,7 +448,7 @@
|
||||||
while_true,
|
while_true,
|
||||||
)]
|
)]
|
||||||
|
|
||||||
#![cfg_attr(test, feature(plugin, custom_derive))]
|
#![cfg_attr(test, feature(plugin))]
|
||||||
#![cfg_attr(test, plugin(rocket_codegen))]
|
#![cfg_attr(test, plugin(rocket_codegen))]
|
||||||
#![doc(test(attr(allow(unused_variables), deny(warnings))))]
|
#![doc(test(attr(allow(unused_variables), deny(warnings))))]
|
||||||
|
|
||||||
|
@ -296,6 +478,7 @@ mod fairing;
|
||||||
|
|
||||||
pub mod headers;
|
pub mod headers;
|
||||||
|
|
||||||
|
use std::borrow::Cow;
|
||||||
use std::collections::{HashSet, HashMap};
|
use std::collections::{HashSet, HashMap};
|
||||||
use std::error;
|
use std::error;
|
||||||
use std::fmt;
|
use std::fmt;
|
||||||
|
@ -826,19 +1009,6 @@ impl Cors {
|
||||||
"/cors".to_string()
|
"/cors".to_string()
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Validate a request and then return a CORS Response
|
|
||||||
///
|
|
||||||
/// You will usually not have to use this function but simply place a r
|
|
||||||
/// equest guard in the route argument for the `Guard` type.
|
|
||||||
///
|
|
||||||
/// This is useful if you want an even more ad-hoc based approach to respond to
|
|
||||||
/// CORS by using a `Cors` that is not in Rocket's managed state.
|
|
||||||
#[doc(hidden)] // Need to figure out a way to do this
|
|
||||||
pub fn validate_request<'a, 'r>(&'a self, request: &'a Request<'r>) -> Result<Response, Error> {
|
|
||||||
let response = validate_and_build(self, request)?;
|
|
||||||
Ok(response)
|
|
||||||
}
|
|
||||||
|
|
||||||
/// Validates if any of the settings are disallowed or incorrect
|
/// Validates if any of the settings are disallowed or incorrect
|
||||||
///
|
///
|
||||||
/// This is run during initial Fairing attachment
|
/// This is run during initial Fairing attachment
|
||||||
|
@ -849,8 +1019,52 @@ impl Cors {
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Manually respond to a request with CORS checks and headers using an Owned `Cors`.
|
||||||
|
///
|
||||||
|
/// Use this variant when your `Cors` struct will not live at least as long as the whole `'r`
|
||||||
|
/// lifetime of the request.
|
||||||
|
///
|
||||||
|
/// After the CORS checks are done, the passed in handler closure will be run to generate a
|
||||||
|
/// final response. You will have to merge your response with the `Guard` that you have been
|
||||||
|
/// passed in to include the CORS headers.
|
||||||
|
///
|
||||||
|
/// See the documentation at the [crate root](index.html) for usage information.
|
||||||
|
pub fn respond_owned<'r, F, R>(self, handler: F) -> Result<ManualResponder<'r, F, R>, Error>
|
||||||
|
where
|
||||||
|
F: FnOnce(Guard<'r>) -> R + 'r,
|
||||||
|
R: response::Responder<'r>,
|
||||||
|
{
|
||||||
|
self.validate()?;
|
||||||
|
Ok(ManualResponder::new(Cow::Owned(self), handler))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Manually respond to a request with CORS checks and headers using a borrowed `Cors`.
|
||||||
|
///
|
||||||
|
/// Use this variant when your `Cors` struct will live at least as long as the whole `'r`
|
||||||
|
/// lifetime of the request. If you are getting your `Cors` from Rocket's state, you will have
|
||||||
|
/// to use the [`inner` function](https://api.rocket.rs/rocket/struct.State.html#method.inner)
|
||||||
|
/// to get a longer borrowed lifetime.
|
||||||
|
///
|
||||||
|
/// After the CORS checks are done, the passed in handler closure will be run to generate a
|
||||||
|
/// final response. You will have to merge your response with the `Guard` that you have been
|
||||||
|
/// passed in to include the CORS headers.
|
||||||
|
///
|
||||||
|
/// See the documentation at the [crate root](index.html) for usage information.
|
||||||
|
pub fn respond_borrowed<'r, F, R>(
|
||||||
|
&'r self,
|
||||||
|
handler: F,
|
||||||
|
) -> Result<ManualResponder<'r, F, R>, Error>
|
||||||
|
where
|
||||||
|
F: FnOnce(Guard<'r>) -> R + 'r,
|
||||||
|
R: response::Responder<'r>,
|
||||||
|
{
|
||||||
|
self.validate()?;
|
||||||
|
Ok(ManualResponder::new(Cow::Borrowed(self), handler))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/// A CORS Response which provides the following CORS headers:
|
/// A CORS Response which provides the following CORS headers:
|
||||||
///
|
///
|
||||||
/// - `Access-Control-Allow-Origin`
|
/// - `Access-Control-Allow-Origin`
|
||||||
|
@ -1135,6 +1349,56 @@ impl<'r, R: response::Responder<'r>> response::Responder<'r> for Responder<'r, R
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// A Manual Responder used in the "truly manual" mode of operation.
|
||||||
|
///
|
||||||
|
/// See the documentation at the [crate root](index.html) for usage information.
|
||||||
|
pub struct ManualResponder<'r, F, R> {
|
||||||
|
options: Cow<'r, Cors>,
|
||||||
|
handler: F,
|
||||||
|
marker: PhantomData<R>,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'r, F, R> ManualResponder<'r, F, R>
|
||||||
|
where
|
||||||
|
F: FnOnce(Guard<'r>) -> R + 'r,
|
||||||
|
R: response::Responder<'r>,
|
||||||
|
{
|
||||||
|
/// Create a new manual responder by passing in either a borrowed or owned `Cors` option.
|
||||||
|
///
|
||||||
|
/// A borrowed `Cors` option must live for the entirety of the `'r` lifetime which is the
|
||||||
|
/// lifetime of the entire Rocket request.
|
||||||
|
fn new(options: Cow<'r, Cors>, handler: F) -> Self {
|
||||||
|
let marker = PhantomData;
|
||||||
|
Self {
|
||||||
|
options,
|
||||||
|
handler,
|
||||||
|
marker,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn build_guard(&self, request: &Request) -> Result<Guard<'r>, Error> {
|
||||||
|
let response = Response::validate_and_build(&self.options, request)?;
|
||||||
|
Ok(Guard::new(response))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'r, F, R> response::Responder<'r> for ManualResponder<'r, F, R>
|
||||||
|
where
|
||||||
|
F: FnOnce(Guard<'r>) -> R + 'r,
|
||||||
|
R: response::Responder<'r>,
|
||||||
|
{
|
||||||
|
fn respond_to(self, request: &Request) -> response::Result<'r> {
|
||||||
|
let guard = match self.build_guard(request) {
|
||||||
|
Ok(guard) => guard,
|
||||||
|
Err(err) => {
|
||||||
|
error_!("CORS error: {}", err);
|
||||||
|
return Err(err.status());
|
||||||
|
}
|
||||||
|
};
|
||||||
|
(self.handler)(guard).respond_to(request)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/// Result of CORS validation.
|
/// Result of CORS validation.
|
||||||
///
|
///
|
||||||
/// The variants hold enough information to build a response to the validation result
|
/// The variants hold enough information to build a response to the validation result
|
||||||
|
@ -1564,8 +1828,10 @@ mod tests {
|
||||||
fn response_sets_exposed_headers_correctly() {
|
fn response_sets_exposed_headers_correctly() {
|
||||||
let headers = vec!["Bar", "Baz", "Foo"];
|
let headers = vec!["Bar", "Baz", "Foo"];
|
||||||
let response = Response::new();
|
let response = Response::new();
|
||||||
let response =
|
let response = response.origin(
|
||||||
response.origin(&FromStr::from_str("https://www.example.com").unwrap(), false);
|
&FromStr::from_str("https://www.example.com").unwrap(),
|
||||||
|
false,
|
||||||
|
);
|
||||||
let response = response.exposed_headers(&headers);
|
let response = response.exposed_headers(&headers);
|
||||||
|
|
||||||
// Build response and check built response header
|
// Build response and check built response header
|
||||||
|
@ -1587,8 +1853,10 @@ mod tests {
|
||||||
#[test]
|
#[test]
|
||||||
fn response_sets_max_age_correctly() {
|
fn response_sets_max_age_correctly() {
|
||||||
let response = Response::new();
|
let response = Response::new();
|
||||||
let response =
|
let response = response.origin(
|
||||||
response.origin(&FromStr::from_str("https://www.example.com").unwrap(), false);
|
&FromStr::from_str("https://www.example.com").unwrap(),
|
||||||
|
false,
|
||||||
|
);
|
||||||
|
|
||||||
let response = response.max_age(Some(42));
|
let response = response.max_age(Some(42));
|
||||||
|
|
||||||
|
@ -1602,8 +1870,10 @@ mod tests {
|
||||||
#[test]
|
#[test]
|
||||||
fn response_does_not_set_max_age_when_none() {
|
fn response_does_not_set_max_age_when_none() {
|
||||||
let response = Response::new();
|
let response = Response::new();
|
||||||
let response =
|
let response = response.origin(
|
||||||
response.origin(&FromStr::from_str("https://www.example.com").unwrap(), false);
|
&FromStr::from_str("https://www.example.com").unwrap(),
|
||||||
|
false,
|
||||||
|
);
|
||||||
|
|
||||||
let response = response.max_age(None);
|
let response = response.max_age(None);
|
||||||
|
|
||||||
|
@ -1717,8 +1987,10 @@ mod tests {
|
||||||
.finalize();
|
.finalize();
|
||||||
|
|
||||||
let response = Response::new();
|
let response = Response::new();
|
||||||
let response =
|
let response = response.origin(
|
||||||
response.origin(&FromStr::from_str("https://www.example.com").unwrap(), false);
|
&FromStr::from_str("https://www.example.com").unwrap(),
|
||||||
|
false,
|
||||||
|
);
|
||||||
let response = response.response(original);
|
let response = response.response(original);
|
||||||
// Check CORS header
|
// Check CORS header
|
||||||
let expected_header = vec!["https://www.example.com"];
|
let expected_header = vec!["https://www.example.com"];
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
//! This crate tests using rocket_cors using Fairings
|
//! This crate tests using rocket_cors using Fairings
|
||||||
|
|
||||||
#![feature(plugin, custom_derive)]
|
#![feature(plugin)]
|
||||||
#![plugin(rocket_codegen)]
|
#![plugin(rocket_codegen)]
|
||||||
extern crate hyper;
|
extern crate hyper;
|
||||||
extern crate rocket;
|
extern crate rocket;
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
//! This crate tests using rocket_cors using the per-route handling with request guard
|
//! This crate tests using rocket_cors using the per-route handling with request guard
|
||||||
|
|
||||||
#![feature(plugin, custom_derive)]
|
#![feature(plugin)]
|
||||||
#![plugin(rocket_codegen)]
|
#![plugin(rocket_codegen)]
|
||||||
extern crate hyper;
|
extern crate hyper;
|
||||||
extern crate rocket;
|
extern crate rocket;
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
//! This crate tests that all the request headers are parsed correctly in the round trip
|
//! This crate tests that all the request headers are parsed correctly in the round trip
|
||||||
#![feature(plugin, custom_derive)]
|
#![feature(plugin)]
|
||||||
#![plugin(rocket_codegen)]
|
#![plugin(rocket_codegen)]
|
||||||
extern crate hyper;
|
extern crate hyper;
|
||||||
extern crate rocket;
|
extern crate rocket;
|
||||||
|
|
|
@ -0,0 +1,372 @@
|
||||||
|
//! This crate tests using rocket_cors using manual mode
|
||||||
|
|
||||||
|
#![feature(plugin, conservative_impl_trait)]
|
||||||
|
#![plugin(rocket_codegen)]
|
||||||
|
extern crate hyper;
|
||||||
|
extern crate rocket;
|
||||||
|
extern crate rocket_cors;
|
||||||
|
|
||||||
|
use std::str::FromStr;
|
||||||
|
|
||||||
|
use rocket::State;
|
||||||
|
use rocket::http::Method;
|
||||||
|
use rocket::http::{Header, Status};
|
||||||
|
use rocket::local::Client;
|
||||||
|
use rocket::response::Responder;
|
||||||
|
use rocket_cors::*;
|
||||||
|
|
||||||
|
/// Using a borrowed `Cors`
|
||||||
|
#[options("/")]
|
||||||
|
fn cors_options<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
options.inner().respond_borrowed(
|
||||||
|
|guard| guard.responder(()),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Using a borrowed `Cors`
|
||||||
|
#[get("/")]
|
||||||
|
fn cors<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
options.inner().respond_borrowed(
|
||||||
|
|guard| guard.responder("Hello CORS"),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
#[options("/panic")]
|
||||||
|
fn panicking_route_options<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
options.inner().respond_borrowed(
|
||||||
|
|guard| guard.responder(()),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
#[get("/panic")]
|
||||||
|
fn panicking_route<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
options.inner().respond_borrowed(|_| -> () {
|
||||||
|
panic!("This route will panic");
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// The following routes tests that the routes can be compiled with manual CORS
|
||||||
|
|
||||||
|
/// `Responder` with String
|
||||||
|
#[allow(unmounted_route)]
|
||||||
|
#[get("/")]
|
||||||
|
fn responder_string<'r>(options: State<'r, Cors>) -> impl Responder<'r> {
|
||||||
|
options.inner().respond_borrowed(|guard| {
|
||||||
|
guard.responder("Hello CORS".to_string())
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
struct TestState;
|
||||||
|
/// Borrow something else from Rocket with lifetime `'r`
|
||||||
|
#[allow(unmounted_route)]
|
||||||
|
#[get("/")]
|
||||||
|
fn borrow<'r>(options: State<'r, Cors>, test_state: State<'r, TestState>) -> impl Responder<'r> {
|
||||||
|
let borrow = test_state.inner();
|
||||||
|
options.inner().respond_borrowed(move |guard| {
|
||||||
|
let _ = borrow;
|
||||||
|
guard.responder("Hello CORS".to_string())
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Respond with an owned option instead
|
||||||
|
#[allow(unmounted_route)]
|
||||||
|
#[get("/")]
|
||||||
|
fn owned<'r>() -> impl Responder<'r> {
|
||||||
|
let borrow = make_cors_options();
|
||||||
|
|
||||||
|
borrow.respond_owned(|guard| guard.responder("Hello CORS"))
|
||||||
|
}
|
||||||
|
|
||||||
|
fn make_cors_options() -> Cors {
|
||||||
|
let (allowed_origins, failed_origins) = AllowedOrigins::some(&["https://www.acme.com"]);
|
||||||
|
assert!(failed_origins.is_empty());
|
||||||
|
|
||||||
|
Cors {
|
||||||
|
allowed_origins: allowed_origins,
|
||||||
|
allowed_methods: vec![Method::Get].into_iter().map(From::from).collect(),
|
||||||
|
allowed_headers: AllowedHeaders::some(&["Authorization", "Accept"]),
|
||||||
|
allow_credentials: true,
|
||||||
|
..Default::default()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn rocket() -> rocket::Rocket {
|
||||||
|
rocket::ignite()
|
||||||
|
.mount(
|
||||||
|
"/",
|
||||||
|
routes![cors, cors_options, panicking_route, panicking_route_options],
|
||||||
|
)
|
||||||
|
.manage(make_cors_options())
|
||||||
|
.attach(make_cors_options())
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn smoke_test() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
// `Options` pre-flight checks
|
||||||
|
let origin_header = Header::from(
|
||||||
|
hyper::header::Origin::from_str("https://www.acme.com").unwrap(),
|
||||||
|
);
|
||||||
|
let method_header = Header::from(hyper::header::AccessControlRequestMethod(
|
||||||
|
hyper::method::Method::Get,
|
||||||
|
));
|
||||||
|
let request_headers = hyper::header::AccessControlRequestHeaders(
|
||||||
|
vec![FromStr::from_str("Authorization").unwrap()],
|
||||||
|
);
|
||||||
|
let request_headers = Header::from(request_headers);
|
||||||
|
let req = client
|
||||||
|
.options("/")
|
||||||
|
.header(origin_header)
|
||||||
|
.header(method_header)
|
||||||
|
.header(request_headers);
|
||||||
|
|
||||||
|
let response = req.dispatch();
|
||||||
|
assert!(response.status().class().is_success());
|
||||||
|
|
||||||
|
// "Actual" request
|
||||||
|
let origin_header = Header::from(
|
||||||
|
hyper::header::Origin::from_str("https://www.acme.com").unwrap(),
|
||||||
|
);
|
||||||
|
let authorization = Header::new("Authorization", "let me in");
|
||||||
|
let req = client.get("/").header(origin_header).header(authorization);
|
||||||
|
|
||||||
|
let mut response = req.dispatch();
|
||||||
|
assert!(response.status().class().is_success());
|
||||||
|
let body_str = response.body().and_then(|body| body.into_string());
|
||||||
|
assert_eq!(body_str, Some("Hello CORS".to_string()));
|
||||||
|
|
||||||
|
let origin_header = response
|
||||||
|
.headers()
|
||||||
|
.get_one("Access-Control-Allow-Origin")
|
||||||
|
.expect("to exist");
|
||||||
|
assert_eq!("https://www.acme.com", origin_header);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn cors_options_check() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
let origin_header = Header::from(
|
||||||
|
hyper::header::Origin::from_str("https://www.acme.com").unwrap(),
|
||||||
|
);
|
||||||
|
let method_header = Header::from(hyper::header::AccessControlRequestMethod(
|
||||||
|
hyper::method::Method::Get,
|
||||||
|
));
|
||||||
|
let request_headers = hyper::header::AccessControlRequestHeaders(
|
||||||
|
vec![FromStr::from_str("Authorization").unwrap()],
|
||||||
|
);
|
||||||
|
let request_headers = Header::from(request_headers);
|
||||||
|
let req = client
|
||||||
|
.options("/")
|
||||||
|
.header(origin_header)
|
||||||
|
.header(method_header)
|
||||||
|
.header(request_headers);
|
||||||
|
|
||||||
|
let response = req.dispatch();
|
||||||
|
assert!(response.status().class().is_success());
|
||||||
|
|
||||||
|
let origin_header = response
|
||||||
|
.headers()
|
||||||
|
.get_one("Access-Control-Allow-Origin")
|
||||||
|
.expect("to exist");
|
||||||
|
assert_eq!("https://www.acme.com", origin_header);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn cors_get_check() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
let origin_header = Header::from(
|
||||||
|
hyper::header::Origin::from_str("https://www.acme.com").unwrap(),
|
||||||
|
);
|
||||||
|
let authorization = Header::new("Authorization", "let me in");
|
||||||
|
let req = client.get("/").header(origin_header).header(authorization);
|
||||||
|
|
||||||
|
let mut response = req.dispatch();
|
||||||
|
println!("{:?}", response);
|
||||||
|
assert!(response.status().class().is_success());
|
||||||
|
let body_str = response.body().and_then(|body| body.into_string());
|
||||||
|
assert_eq!(body_str, Some("Hello CORS".to_string()));
|
||||||
|
|
||||||
|
let origin_header = response
|
||||||
|
.headers()
|
||||||
|
.get_one("Access-Control-Allow-Origin")
|
||||||
|
.expect("to exist");
|
||||||
|
assert_eq!("https://www.acme.com", origin_header);
|
||||||
|
}
|
||||||
|
|
||||||
|
/// This test is to check that non CORS compliant requests to GET should still work. (i.e. curl)
|
||||||
|
#[test]
|
||||||
|
fn cors_get_no_origin() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
let authorization = Header::new("Authorization", "let me in");
|
||||||
|
let req = client.get("/").header(authorization);
|
||||||
|
|
||||||
|
let mut response = req.dispatch();
|
||||||
|
assert!(response.status().class().is_success());
|
||||||
|
let body_str = response.body().and_then(|body| body.into_string());
|
||||||
|
assert_eq!(body_str, Some("Hello CORS".to_string()));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn cors_options_bad_origin() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
let origin_header = Header::from(
|
||||||
|
hyper::header::Origin::from_str("https://www.bad-origin.com").unwrap(),
|
||||||
|
);
|
||||||
|
let method_header = Header::from(hyper::header::AccessControlRequestMethod(
|
||||||
|
hyper::method::Method::Get,
|
||||||
|
));
|
||||||
|
let request_headers = hyper::header::AccessControlRequestHeaders(
|
||||||
|
vec![FromStr::from_str("Authorization").unwrap()],
|
||||||
|
);
|
||||||
|
let request_headers = Header::from(request_headers);
|
||||||
|
let req = client
|
||||||
|
.options("/")
|
||||||
|
.header(origin_header)
|
||||||
|
.header(method_header)
|
||||||
|
.header(request_headers);
|
||||||
|
|
||||||
|
let response = req.dispatch();
|
||||||
|
assert_eq!(response.status(), Status::Forbidden);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn cors_options_missing_origin() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
let method_header = Header::from(hyper::header::AccessControlRequestMethod(
|
||||||
|
hyper::method::Method::Get,
|
||||||
|
));
|
||||||
|
let request_headers = hyper::header::AccessControlRequestHeaders(
|
||||||
|
vec![FromStr::from_str("Authorization").unwrap()],
|
||||||
|
);
|
||||||
|
let request_headers = Header::from(request_headers);
|
||||||
|
let req = client.options("/").header(method_header).header(
|
||||||
|
request_headers,
|
||||||
|
);
|
||||||
|
|
||||||
|
let response = req.dispatch();
|
||||||
|
assert!(response.status().class().is_success());
|
||||||
|
assert!(
|
||||||
|
response
|
||||||
|
.headers()
|
||||||
|
.get_one("Access-Control-Allow-Origin")
|
||||||
|
.is_none()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn cors_options_bad_request_method() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
let origin_header = Header::from(
|
||||||
|
hyper::header::Origin::from_str("https://www.acme.com").unwrap(),
|
||||||
|
);
|
||||||
|
let method_header = Header::from(hyper::header::AccessControlRequestMethod(
|
||||||
|
hyper::method::Method::Post,
|
||||||
|
));
|
||||||
|
let request_headers = hyper::header::AccessControlRequestHeaders(
|
||||||
|
vec![FromStr::from_str("Authorization").unwrap()],
|
||||||
|
);
|
||||||
|
let request_headers = Header::from(request_headers);
|
||||||
|
let req = client
|
||||||
|
.options("/")
|
||||||
|
.header(origin_header)
|
||||||
|
.header(method_header)
|
||||||
|
.header(request_headers);
|
||||||
|
|
||||||
|
let response = req.dispatch();
|
||||||
|
assert_eq!(response.status(), Status::Forbidden);
|
||||||
|
assert!(
|
||||||
|
response
|
||||||
|
.headers()
|
||||||
|
.get_one("Access-Control-Allow-Origin")
|
||||||
|
.is_none()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn cors_options_bad_request_header() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
let origin_header = Header::from(
|
||||||
|
hyper::header::Origin::from_str("https://www.acme.com").unwrap(),
|
||||||
|
);
|
||||||
|
let method_header = Header::from(hyper::header::AccessControlRequestMethod(
|
||||||
|
hyper::method::Method::Get,
|
||||||
|
));
|
||||||
|
let request_headers =
|
||||||
|
hyper::header::AccessControlRequestHeaders(vec![FromStr::from_str("Foobar").unwrap()]);
|
||||||
|
let request_headers = Header::from(request_headers);
|
||||||
|
let req = client
|
||||||
|
.options("/")
|
||||||
|
.header(origin_header)
|
||||||
|
.header(method_header)
|
||||||
|
.header(request_headers);
|
||||||
|
|
||||||
|
let response = req.dispatch();
|
||||||
|
assert_eq!(response.status(), Status::Forbidden);
|
||||||
|
assert!(
|
||||||
|
response
|
||||||
|
.headers()
|
||||||
|
.get_one("Access-Control-Allow-Origin")
|
||||||
|
.is_none()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn cors_get_bad_origin() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
let origin_header = Header::from(
|
||||||
|
hyper::header::Origin::from_str("https://www.bad-origin.com").unwrap(),
|
||||||
|
);
|
||||||
|
let authorization = Header::new("Authorization", "let me in");
|
||||||
|
let req = client.get("/").header(origin_header).header(authorization);
|
||||||
|
|
||||||
|
let response = req.dispatch();
|
||||||
|
assert_eq!(response.status(), Status::Forbidden);
|
||||||
|
assert!(
|
||||||
|
response
|
||||||
|
.headers()
|
||||||
|
.get_one("Access-Control-Allow-Origin")
|
||||||
|
.is_none()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/// This test ensures that on a failing CORS request, the route (along with its side effects)
|
||||||
|
/// should never be executed.
|
||||||
|
/// The route used will panic if executed
|
||||||
|
#[test]
|
||||||
|
fn routes_failing_checks_are_not_executed() {
|
||||||
|
let client = Client::new(rocket()).unwrap();
|
||||||
|
|
||||||
|
let origin_header = Header::from(
|
||||||
|
hyper::header::Origin::from_str("https://www.bad-origin.com").unwrap(),
|
||||||
|
);
|
||||||
|
let method_header = Header::from(hyper::header::AccessControlRequestMethod(
|
||||||
|
hyper::method::Method::Get,
|
||||||
|
));
|
||||||
|
let request_headers = hyper::header::AccessControlRequestHeaders(
|
||||||
|
vec![FromStr::from_str("Authorization").unwrap()],
|
||||||
|
);
|
||||||
|
let request_headers = Header::from(request_headers);
|
||||||
|
let req = client
|
||||||
|
.options("/panic")
|
||||||
|
.header(origin_header)
|
||||||
|
.header(method_header)
|
||||||
|
.header(request_headers);
|
||||||
|
|
||||||
|
let response = req.dispatch();
|
||||||
|
assert_eq!(response.status(), Status::Forbidden);
|
||||||
|
assert!(
|
||||||
|
response
|
||||||
|
.headers()
|
||||||
|
.get_one("Access-Control-Allow-Origin")
|
||||||
|
.is_none()
|
||||||
|
);
|
||||||
|
}
|
Loading…
Reference in New Issue