Add CORS OPTIONS routes.

2018-12-29 22:19:26 -06:00 · 2018-12-29 22:19:26 -06:00 · 26aa246188
commit 26aa246188
parent 774d0b446f
1 changed files with 26 additions and 1 deletions
--- a/src/main/nim/strawbosspkg/server.nim
+++ b/src/main/nim/strawbosspkg/server.nim
@ -37,6 +37,22 @@ template halt(code: HttpCode,
  result.matched = true
  break allRoutes

+template allowCors(methods = @["GET"], allowedHeaders = @["*"]): typed =
+  ## Immediately replies with the appropriate headers for a CORS response
+  ## allowing the specified options.. This means any further code will not be
+  ## executed after calling this template in the current route.
+  bind TCActionSend, newHttpHeaders
+  result[0] = CallbackAction.TCActionSend
+  result[1] = Http200
+  result[2] = some(@{
+    "Access-Control-Allow-Origin": $request.headers["Origin"],
+    "Access-Control-Allow-Methods": methods.join(", "),
+    "Access-Control-Allow-Headers": allowedHeaders.join(", ")
+  })
+  result[3] = ""
+  result.matched = true
+  break allRoutes
+
 template jsonResp(code: HttpCode, details: string = "", headers: RawHeaders = @{:} ) =
  halt(
    code,
@ -169,6 +185,7 @@ proc start*(cfg: StrawBossConfig): void =
    get "/version":
      resp($(%("strawboss v" & SB_VERSION)), JSON)

+    options "/auth-token": allowCors(@["POST"])
    post "/auth-token":
      var uname, pwd: string
      try:
@ -182,11 +199,14 @@ proc start*(cfg: StrawBossConfig): void =
        resp($(%authToken), JSON)
      except: jsonResp(Http401, getCurrentExceptionMsg())

+    options "/verify-auth": allowCors()
    get "/verify-auth":
      checkAuth()

      resp(Http200, $(%*{ "username": session.user.name }), JSON)

+    options "/projects": allowCors(@["GET", "POST"])
+
    get "/projects":
      ## List project summaries (ProjectDefs only)

@ -244,7 +264,7 @@ proc start*(cfg: StrawBossConfig): void =
          let msg = "unable to list versions for project " & @"projectName"
          json500Resp(getCurrentException(), msg)

-    get "/project/@projectName/version/@version?":
+    get "/project/@projectName/version/@version":
      ## Get a detailed project record including step definitions (ProjectConfig).

      checkAuth()
@ -407,6 +427,7 @@ proc start*(cfg: StrawBossConfig): void =
      ## TODO: how do we want to handle auth for this? Unlike
      #checkAuth(): if not authed: return true

+    options "/project/@projectName/step/@stepName/run/@buildRef?": allowCors(@["POST"])
    post "/project/@projectName/step/@stepName/run/@buildRef?":
      # Kick off a run

@ -444,6 +465,10 @@ proc start*(cfg: StrawBossConfig): void =
        resp($(%"shutting down"), JSON)


+    # In general, we will allow all cross-origin GET requests, as all of our
+    # APIs that are accessible via GET requests are idempotent.
+    options re".*": allowCors(@["GET"])
+
    get re".*":
      jsonResp(Http404)