1185: fix cors issue r=MarinPostma a=MarinPostma

This PR fixes a bug where foreign origin were not accepted.
This was due to an update to actix-cors

It also fixes the cors bug when authentication failed, with the caveat that request that are denied for permissions reason are not logged. 

it introduces a bug described in  #1186

Co-authored-by: mpostma <postma.marin@protonmail.com>
This commit is contained in:
bors[bot] 2021-01-13 10:56:25 +00:00 committed by GitHub
commit 0bb8b3a68d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 17 deletions

View File

@ -6,6 +6,8 @@ use std::task::{Context, Poll};
use actix_service::{Service, Transform}; use actix_service::{Service, Transform};
use actix_web::{dev::ServiceRequest, dev::ServiceResponse, web}; use actix_web::{dev::ServiceRequest, dev::ServiceResponse, web};
use futures::future::{err, ok, Future, Ready}; use futures::future::{err, ok, Future, Ready};
use actix_web::error::ResponseError as _;
use actix_web::dev::Body;
use crate::error::{Error, ResponseError}; use crate::error::{Error, ResponseError};
use crate::Data; use crate::Data;
@ -17,14 +19,13 @@ pub enum Authentication {
Admin, Admin,
} }
impl<S: 'static, B> Transform<S> for Authentication impl<S: 'static> Transform<S> for Authentication
where where
S: Service<Request = ServiceRequest, Response = ServiceResponse<B>, Error = actix_web::Error>, S: Service<Request = ServiceRequest, Response = ServiceResponse<Body>, Error = actix_web::Error>,
S::Future: 'static, S::Future: 'static,
B: 'static,
{ {
type Request = ServiceRequest; type Request = ServiceRequest;
type Response = ServiceResponse<B>; type Response = ServiceResponse<Body>;
type Error = actix_web::Error; type Error = actix_web::Error;
type InitError = (); type InitError = ();
type Transform = LoggingMiddleware<S>; type Transform = LoggingMiddleware<S>;
@ -44,14 +45,13 @@ pub struct LoggingMiddleware<S> {
} }
#[allow(clippy::type_complexity)] #[allow(clippy::type_complexity)]
impl<S, B> Service for LoggingMiddleware<S> impl<S> Service for LoggingMiddleware<S>
where where
S: Service<Request = ServiceRequest, Response = ServiceResponse<B>, Error = actix_web::Error> + 'static, S: Service<Request = ServiceRequest, Response = ServiceResponse<Body>, Error = actix_web::Error> + 'static,
S::Future: 'static, S::Future: 'static,
B: 'static,
{ {
type Request = ServiceRequest; type Request = ServiceRequest;
type Response = ServiceResponse<B>; type Response = ServiceResponse<Body>;
type Error = actix_web::Error; type Error = actix_web::Error;
type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>>>>; type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>>>>;
@ -72,7 +72,11 @@ where
let auth_header = match req.headers().get("X-Meili-API-Key") { let auth_header = match req.headers().get("X-Meili-API-Key") {
Some(auth) => match auth.to_str() { Some(auth) => match auth.to_str() {
Ok(auth) => auth, Ok(auth) => auth,
Err(_) => return Box::pin(err(ResponseError::from(Error::MissingAuthorizationHeader).into())), Err(_) => {
let error = ResponseError::from(Error::MissingAuthorizationHeader).error_response();
let (request, _) = req.into_parts();
return Box::pin(ok(ServiceResponse::new(request, error)))
}
}, },
None => { None => {
return Box::pin(err(ResponseError::from(Error::MissingAuthorizationHeader).into())); return Box::pin(err(ResponseError::from(Error::MissingAuthorizationHeader).into()));
@ -95,9 +99,9 @@ where
if authenticated { if authenticated {
Box::pin(svc.call(req)) Box::pin(svc.call(req))
} else { } else {
Box::pin(err( let error = ResponseError::from(Error::InvalidToken(auth_header.to_string())).error_response();
ResponseError::from(Error::InvalidToken(auth_header.to_string())).into() let (request, _) = req.into_parts();
)) return Box::pin(ok(ServiceResponse::new(request, error)))
} }
} }
} }

View File

@ -82,13 +82,15 @@ async fn main() -> Result<(), MainError> {
let enable_frontend = opt.env != "production"; let enable_frontend = opt.env != "production";
let http_server = HttpServer::new(move || { let http_server = HttpServer::new(move || {
create_app(&data, enable_frontend) let cors = Cors::default()
.wrap(
Cors::default()
.send_wildcard() .send_wildcard()
.allowed_headers(vec!["content-type", "x-meili-api-key"]) .allowed_headers(vec!["content-type", "x-meili-api-key"])
.max_age(86_400) // 24h .allow_any_origin()
) .allow_any_method()
.max_age(86_400); // 24h
create_app(&data, enable_frontend)
.wrap(cors)
.wrap(middleware::Logger::default()) .wrap(middleware::Logger::default())
.wrap(middleware::Compress::default()) .wrap(middleware::Compress::default())
.wrap(NormalizePath) .wrap(NormalizePath)