|
2 | 2 |
|
3 | 3 | import static com.retailsvc.http.spec.HttpMethod.GET; |
4 | 4 | import static com.retailsvc.http.spec.HttpMethod.HEAD; |
| 5 | +import static com.retailsvc.http.spec.HttpMethod.OPTIONS; |
5 | 6 | import static java.net.HttpURLConnection.HTTP_BAD_METHOD; |
6 | 7 | import static java.net.HttpURLConnection.HTTP_BAD_REQUEST; |
| 8 | +import static java.net.HttpURLConnection.HTTP_FORBIDDEN; |
7 | 9 | import static java.net.HttpURLConnection.HTTP_INTERNAL_ERROR; |
| 10 | +import static java.net.HttpURLConnection.HTTP_NO_CONTENT; |
8 | 11 | import static java.net.HttpURLConnection.HTTP_OK; |
9 | 12 | import static java.net.HttpURLConnection.HTTP_UNAVAILABLE; |
10 | 13 | import static java.nio.charset.StandardCharsets.UTF_8; |
|
13 | 16 | import com.retailsvc.http.internal.ProblemDetail; |
14 | 17 | import com.retailsvc.http.internal.ProblemDetailRenderer; |
15 | 18 | import com.retailsvc.http.internal.ResourceSource; |
| 19 | +import com.retailsvc.http.spec.HttpMethod; |
16 | 20 | import java.io.InputStream; |
17 | 21 | import java.nio.file.Path; |
| 22 | +import java.time.Duration; |
18 | 23 | import java.util.List; |
| 24 | +import java.util.Locale; |
19 | 25 | import java.util.Objects; |
| 26 | +import java.util.Set; |
| 27 | +import java.util.function.Predicate; |
20 | 28 | import java.util.function.Supplier; |
21 | 29 | import java.util.stream.Collectors; |
22 | 30 | import org.slf4j.Logger; |
@@ -54,6 +62,126 @@ public static ResponseDecorator securityHeadersDecorator() { |
54 | 62 | }; |
55 | 63 | } |
56 | 64 |
|
| 65 | + /** |
| 66 | + * Returns a {@link RequestHandler} that answers CORS preflight {@code OPTIONS} requests for any |
| 67 | + * path the caller wires it under (typically via {@code |
| 68 | + * OpenApiServer.builder().extraRoute("/api/*", Handlers.corsPreflightHandler(...))}). |
| 69 | + * |
| 70 | + * <p>Requests are validated in order: origin against {@code allowedOrigins} (exact match), {@code |
| 71 | + * Access-Control-Request-Method} against {@code allowedMethods}, and each header in {@code |
| 72 | + * Access-Control-Request-Headers} against {@code allowedHeaders} (case-insensitive). A non-{@code |
| 73 | + * OPTIONS} request yields {@code 405} with {@code Allow: OPTIONS}; a missing {@code Origin} or |
| 74 | + * {@code Access-Control-Request-Method} header yields {@code 400}; any disallowed origin / method |
| 75 | + * / header yields {@code 403} with no CORS headers (the browser then blocks the request). |
| 76 | + * |
| 77 | + * <p>On success the response is {@code 204 No Content} with {@code Access-Control-Allow-Origin} |
| 78 | + * echoing the request's {@code Origin}, the configured method and header allowlists, and {@code |
| 79 | + * Vary: Origin} so caches segment by origin. {@code Access-Control-Allow-Credentials} and {@code |
| 80 | + * Access-Control-Max-Age} are emitted only when enabled. |
| 81 | + * |
| 82 | + * @param allowedOrigins exact-match origin allowlist; never {@code null} |
| 83 | + * @param allowedMethods non-empty list of methods to advertise in {@code Allow-Methods} |
| 84 | + * @param allowedHeaders header allowlist (matched case-insensitively); may be empty (then {@code |
| 85 | + * Access-Control-Allow-Headers} is omitted) |
| 86 | + * @param allowCredentials whether to emit {@code Access-Control-Allow-Credentials: true} |
| 87 | + * @param maxAge {@code Access-Control-Max-Age} value; {@code null} omits the header |
| 88 | + */ |
| 89 | + public static RequestHandler corsPreflightHandler( |
| 90 | + List<String> allowedOrigins, |
| 91 | + List<HttpMethod> allowedMethods, |
| 92 | + List<String> allowedHeaders, |
| 93 | + boolean allowCredentials, |
| 94 | + Duration maxAge) { |
| 95 | + Objects.requireNonNull(allowedOrigins, "allowedOrigins must not be null"); |
| 96 | + Set<String> origins = Set.copyOf(allowedOrigins); |
| 97 | + return corsPreflightHandler( |
| 98 | + origins::contains, allowedMethods, allowedHeaders, allowCredentials, maxAge); |
| 99 | + } |
| 100 | + |
| 101 | + /** |
| 102 | + * Predicate-based overload of {@link #corsPreflightHandler(List, List, List, boolean, Duration)} |
| 103 | + * for callers that need dynamic origin policy (regex, suffix match, config lookup). |
| 104 | + */ |
| 105 | + public static RequestHandler corsPreflightHandler( |
| 106 | + Predicate<String> originAllowed, |
| 107 | + List<HttpMethod> allowedMethods, |
| 108 | + List<String> allowedHeaders, |
| 109 | + boolean allowCredentials, |
| 110 | + Duration maxAge) { |
| 111 | + Objects.requireNonNull(originAllowed, "originAllowed must not be null"); |
| 112 | + Objects.requireNonNull(allowedMethods, "allowedMethods must not be null"); |
| 113 | + Objects.requireNonNull(allowedHeaders, "allowedHeaders must not be null"); |
| 114 | + if (allowedMethods.isEmpty()) { |
| 115 | + throw new IllegalArgumentException("allowedMethods must not be empty"); |
| 116 | + } |
| 117 | + if (maxAge != null && (maxAge.isNegative() || maxAge.getSeconds() > Integer.MAX_VALUE)) { |
| 118 | + throw new IllegalArgumentException( |
| 119 | + "maxAge must be non-negative and fit in an int number of seconds, got " + maxAge); |
| 120 | + } |
| 121 | + |
| 122 | + String allowMethodsHeader = |
| 123 | + allowedMethods.stream().map(Enum::name).collect(Collectors.joining(", ")); |
| 124 | + String allowHeadersHeader = String.join(", ", allowedHeaders); |
| 125 | + Set<String> headerAllowlistLower = |
| 126 | + allowedHeaders.stream() |
| 127 | + .map(h -> h.toLowerCase(Locale.ROOT)) |
| 128 | + .collect(Collectors.toUnmodifiableSet()); |
| 129 | + String maxAgeHeader = maxAge == null ? null : Long.toString(maxAge.getSeconds()); |
| 130 | + |
| 131 | + return req -> { |
| 132 | + if (req.method() != OPTIONS) { |
| 133 | + return Response.status(HTTP_BAD_METHOD).withHeader("Allow", "OPTIONS"); |
| 134 | + } |
| 135 | + String origin = req.header("Origin").orElse(null); |
| 136 | + if (origin == null) { |
| 137 | + throw new BadRequestException("CORS preflight is missing the Origin header"); |
| 138 | + } |
| 139 | + String requestMethod = req.header("Access-Control-Request-Method").orElse(null); |
| 140 | + if (requestMethod == null) { |
| 141 | + throw new BadRequestException( |
| 142 | + "CORS preflight is missing the Access-Control-Request-Method header"); |
| 143 | + } |
| 144 | + if (!originAllowed.test(origin)) { |
| 145 | + return Response.status(HTTP_FORBIDDEN); |
| 146 | + } |
| 147 | + HttpMethod parsedMethod; |
| 148 | + try { |
| 149 | + parsedMethod = HttpMethod.parse(requestMethod); |
| 150 | + } catch (IllegalArgumentException e) { |
| 151 | + return Response.status(HTTP_FORBIDDEN); |
| 152 | + } |
| 153 | + if (!allowedMethods.contains(parsedMethod)) { |
| 154 | + return Response.status(HTTP_FORBIDDEN); |
| 155 | + } |
| 156 | + String requestedHeaders = req.header("Access-Control-Request-Headers").orElse(""); |
| 157 | + for (String raw : requestedHeaders.split(",")) { |
| 158 | + String h = raw.trim().toLowerCase(Locale.ROOT); |
| 159 | + if (h.isEmpty()) { |
| 160 | + continue; |
| 161 | + } |
| 162 | + if (!headerAllowlistLower.contains(h)) { |
| 163 | + return Response.status(HTTP_FORBIDDEN); |
| 164 | + } |
| 165 | + } |
| 166 | + |
| 167 | + Response resp = |
| 168 | + Response.status(HTTP_NO_CONTENT) |
| 169 | + .withHeader("Access-Control-Allow-Origin", origin) |
| 170 | + .withHeader("Access-Control-Allow-Methods", allowMethodsHeader) |
| 171 | + .withHeader("Vary", "Origin"); |
| 172 | + if (!allowedHeaders.isEmpty()) { |
| 173 | + resp = resp.withHeader("Access-Control-Allow-Headers", allowHeadersHeader); |
| 174 | + } |
| 175 | + if (allowCredentials) { |
| 176 | + resp = resp.withHeader("Access-Control-Allow-Credentials", "true"); |
| 177 | + } |
| 178 | + if (maxAgeHeader != null) { |
| 179 | + resp = resp.withHeader("Access-Control-Max-Age", maxAgeHeader); |
| 180 | + } |
| 181 | + return resp; |
| 182 | + }; |
| 183 | + } |
| 184 | + |
57 | 185 | public static ExceptionHandler defaultExceptionHandler() { |
58 | 186 | return t -> |
59 | 187 | switch (t) { |
|
0 commit comments