chore: Disable CORS on public API endpoints (#4970)

fixes: #3070
This commit is contained in:
Sojan Jose 2022-07-05 15:00:17 +02:00 committed by GitHub
parent 029209a634
commit 5d2cdb40f5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 32 additions and 62 deletions

View file

@ -77,16 +77,4 @@ Rails.application.configure do
Bullet.rails_logger = true Bullet.rails_logger = true
end end
# ref: https://github.com/cyu/rack-cors
config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '/packs/*', headers: :any, methods: [:get, :options]
resource '/audio/*', headers: :any, methods: [:get, :options]
resource '*', headers: :any, methods: :any, expose: ['access-token', 'client', 'uid', 'expiry']
end
end
# ref : https://medium.com/@emikaijuin/connecting-to-action-cable-without-rails-d39a8aaa52d5
config.action_cable.disable_request_forgery_protection = true
end end

View file

@ -42,16 +42,6 @@ Rails.application.configure do
# Store uploaded files on the local file system (see config/storage.yml for options) # Store uploaded files on the local file system (see config/storage.yml for options)
config.active_storage.service = ENV.fetch('ACTIVE_STORAGE_SERVICE', 'local').to_sym config.active_storage.service = ENV.fetch('ACTIVE_STORAGE_SERVICE', 'local').to_sym
# Mount Action Cable outside main process or domain
# config.action_cable.mount_path = nil
# config.action_cable.url = 'wss://example.com/cable'
# to enable connecting to the API channel public APIs
config.action_cable.disable_request_forgery_protection = true
# if ENV['FRONTEND_URL'].present?
# config.action_cable.allowed_request_origins = [ENV['FRONTEND_URL'], %r{https?://#{URI.parse(ENV['FRONTEND_URL']).host}(:[0-9]+)?}]
# end
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = ActiveModel::Type::Boolean.new.cast(ENV.fetch('FORCE_SSL', false)) config.force_ssl = ActiveModel::Type::Boolean.new.cast(ENV.fetch('FORCE_SSL', false))
@ -113,18 +103,4 @@ Rails.application.configure do
config.action_mailbox.ingress = ENV.fetch('RAILS_INBOUND_EMAIL_SERVICE', 'relay').to_sym config.action_mailbox.ingress = ENV.fetch('RAILS_INBOUND_EMAIL_SERVICE', 'relay').to_sym
Rails.application.routes.default_url_options = { host: ENV['FRONTEND_URL'] } Rails.application.routes.default_url_options = { host: ENV['FRONTEND_URL'] }
# font cors issue with CDN
# Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
# ref: https://github.com/cyu/rack-cors
config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '/packs/*', headers: :any, methods: [:get, :options]
resource '/audio/*', headers: :any, methods: [:get, :options]
if ActiveModel::Type::Boolean.new.cast(ENV.fetch('CW_API_ONLY_SERVER', false))
resource '*', headers: :any, methods: :any, expose: ['access-token', 'client', 'uid', 'expiry']
end
end
end
end end

View file

@ -34,11 +34,6 @@ Rails.application.configure do
# config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
# Mount Action Cable outside main process or domain
# config.action_cable.mount_path = nil
# config.action_cable.url = 'wss://example.com/cable'
# config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = ActiveModel::Type::Boolean.new.cast(ENV.fetch('FORCE_SSL', false)) config.force_ssl = ActiveModel::Type::Boolean.new.cast(ENV.fetch('FORCE_SSL', false))
@ -80,14 +75,4 @@ Rails.application.configure do
# Do not dump schema after migrations. # Do not dump schema after migrations.
config.active_record.dump_schema_after_migration = false config.active_record.dump_schema_after_migration = false
# font cors issue with CDN
# Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '/packs/*', headers: :any, methods: [:get, :options]
resource '/audio/*', headers: :any, methods: [:get, :options]
end
end
end end

View file

@ -51,14 +51,4 @@ Rails.application.configure do
# Raises error for missing translations. # Raises error for missing translations.
# config.action_view.raise_on_missing_translations = true # config.action_view.raise_on_missing_translations = true
config.log_level = ENV.fetch('LOG_LEVEL', 'debug').to_sym config.log_level = ENV.fetch('LOG_LEVEL', 'debug').to_sym
# font cors issue with CDN
# Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '/packs/*', headers: :any, methods: [:get, :options]
resource '/audio/*', headers: :any, methods: [:get, :options]
end
end
end end

View file

@ -0,0 +1,31 @@
# config/initializers/cors.rb
# ref: https://github.com/cyu/rack-cors
# font cors issue with CDN
# Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '/packs/*', headers: :any, methods: [:get, :options]
resource '/audio/*', headers: :any, methods: [:get, :options]
# Make the public endpoints accessible to the frontend
resource '/public/api/*', headers: :any, methods: :any
if ActiveModel::Type::Boolean.new.cast(ENV.fetch('CW_API_ONLY_SERVER', false)) || Rails.env.development?
resource '*', headers: :any, methods: :any, expose: %w[access-token client uid expiry]
end
end
end
################################################
######### Action Cable Related Config ##########
################################################
# Mount Action Cable outside main process or domain
# Rails.application.config.action_cable.mount_path = nil
# Rails.application.config.action_cable.url = 'wss://example.com/cable'
# Rails.application.config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
# To Enable connecting to the API channel public APIs
# ref : https://medium.com/@emikaijuin/connecting-to-action-cable-without-rails-d39a8aaa52d5
Rails.application.config.action_cable.disable_request_forgery_protection = true