From 966d668ac8e5d7d1c006b0b72e350fdc4b7fe471 Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Wed, 17 Oct 2018 11:38:12 +0300 Subject: [PATCH] Return Origin url instead of, as requested by ops --- app/controllers/api/cors_controller.rb | 2 +- .../api/v1/registrant/auth_controller.rb | 2 +- .../api/v1/registrant/base_controller.rb | 2 +- .../registrant/registrant_api_cors_headers_test.rb | 14 +++++++------- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/app/controllers/api/cors_controller.rb b/app/controllers/api/cors_controller.rb index 102f9726f..cd4c1a8d3 100644 --- a/app/controllers/api/cors_controller.rb +++ b/app/controllers/api/cors_controller.rb @@ -9,7 +9,7 @@ module Api end def set_access_control_headers - response.headers['Access-Control-Allow-Origin'] = '*' + response.headers['Access-Control-Allow-Origin'] = request.headers['Origin'] response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, PATCH, DELETE, OPTIONS' response.headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, ' \ 'Authorization, Token, Auth-Token, '\ diff --git a/app/controllers/api/v1/registrant/auth_controller.rb b/app/controllers/api/v1/registrant/auth_controller.rb index 78a0f832d..c1fe3fbf8 100644 --- a/app/controllers/api/v1/registrant/auth_controller.rb +++ b/app/controllers/api/v1/registrant/auth_controller.rb @@ -29,7 +29,7 @@ module Api private def set_cors_header - response.headers['Access-Control-Allow-Origin'] = '*' + response.headers['Access-Control-Allow-Origin'] = request.headers['Origin'] end def eid_params diff --git a/app/controllers/api/v1/registrant/base_controller.rb b/app/controllers/api/v1/registrant/base_controller.rb index 2afa916b6..e7f4d1ad1 100644 --- a/app/controllers/api/v1/registrant/base_controller.rb +++ b/app/controllers/api/v1/registrant/base_controller.rb @@ -19,7 +19,7 @@ module Api private def set_cors_header - response.headers['Access-Control-Allow-Origin'] = '*' + response.headers['Access-Control-Allow-Origin'] = request.headers['Origin'] end def bearer_token diff --git a/test/integration/api/registrant/registrant_api_cors_headers_test.rb b/test/integration/api/registrant/registrant_api_cors_headers_test.rb index b5bb30d89..6bb768bc3 100644 --- a/test/integration/api/registrant/registrant_api_cors_headers_test.rb +++ b/test/integration/api/registrant/registrant_api_cors_headers_test.rb @@ -2,7 +2,7 @@ require 'test_helper' class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest def test_returns_200_response_code_for_options_request - options '/api/v1/registrant/auth/eid', {} + options '/api/v1/registrant/auth/eid', {}, { 'Origin' => 'https://example.com' } assert_equal('200', response.code) end @@ -10,7 +10,7 @@ class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest def test_returns_expected_headers_for_options_requests options '/api/v1/registrant/auth/eid', {}, { 'Origin' => 'https://example.com' } - assert_equal('*', response.headers['Access-Control-Allow-Origin']) + assert_equal('https://example.com', response.headers['Access-Control-Allow-Origin']) assert_equal('POST, GET, PUT, PATCH, DELETE, OPTIONS', response.headers['Access-Control-Allow-Methods']) assert_equal('Origin, Content-Type, Accept, Authorization, Token, Auth-Token, Email, ' \ @@ -20,16 +20,16 @@ class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest end def test_returns_empty_body - options '/api/v1/registrant/auth/eid', {} + options '/api/v1/registrant/auth/eid', { 'Origin' => 'https://example.com' } assert_equal('', response.body) end def test_it_returns_cors_headers_for_other_requests - post '/api/v1/registrant/auth/eid', {} - assert_equal('*', response.headers['Access-Control-Allow-Origin']) + post '/api/v1/registrant/auth/eid', {}, { 'Origin' => 'https://example.com' } + assert_equal('https://example.com', response.headers['Access-Control-Allow-Origin']) - get '/api/v1/registrant/contacts', {} - assert_equal('*', response.headers['Access-Control-Allow-Origin']) + get '/api/v1/registrant/contacts', {}, { 'Origin' => 'https://example.com' } + assert_equal('https://example.com', response.headers['Access-Control-Allow-Origin']) end end