Return Origin url instead of, as requested by ops

2025-06-08 05:34:46 +02:00 · 2018-10-17 11:38:12 +03:00 · 2018-10-17 11:38:12 +03:00 · 966d668ac8
commit 966d668ac8
parent 09e0a96b70
4 changed files with 10 additions and 10 deletions
--- a/app/controllers/api/cors_controller.rb
+++ b/app/controllers/api/cors_controller.rb
@ -9,7 +9,7 @@ module Api
    end
    def set_access_control_headers
-      response.headers['Access-Control-Allow-Origin'] = '*'
+      response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']
      response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, PATCH, DELETE, OPTIONS'
      response.headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, ' \
                                                         'Authorization, Token, Auth-Token, '\
--- a/app/controllers/api/v1/registrant/auth_controller.rb
+++ b/app/controllers/api/v1/registrant/auth_controller.rb
@ -29,7 +29,7 @@ module Api
        private
        def set_cors_header
-          response.headers['Access-Control-Allow-Origin'] = '*'
+          response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']
        end
        def eid_params
--- a/app/controllers/api/v1/registrant/base_controller.rb
+++ b/app/controllers/api/v1/registrant/base_controller.rb
@ -19,7 +19,7 @@ module Api
        private
        def set_cors_header
-          response.headers['Access-Control-Allow-Origin'] = '*'
+          response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']
        end
        def bearer_token
--- a/test/integration/api/registrant/registrant_api_cors_headers_test.rb
+++ b/test/integration/api/registrant/registrant_api_cors_headers_test.rb
@ -2,7 +2,7 @@ require 'test_helper'
 class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest
  def test_returns_200_response_code_for_options_request
-    options '/api/v1/registrant/auth/eid', {}
+    options '/api/v1/registrant/auth/eid', {}, { 'Origin' => 'https://example.com' }
    assert_equal('200', response.code)
  end
@ -10,7 +10,7 @@ class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest
  def test_returns_expected_headers_for_options_requests
    options '/api/v1/registrant/auth/eid', {}, { 'Origin' => 'https://example.com' }
-    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+    assert_equal('https://example.com', response.headers['Access-Control-Allow-Origin'])
    assert_equal('POST, GET, PUT, PATCH, DELETE, OPTIONS',
                 response.headers['Access-Control-Allow-Methods'])
    assert_equal('Origin, Content-Type, Accept, Authorization, Token, Auth-Token, Email, ' \
@ -20,16 +20,16 @@ class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest
  end
  def test_returns_empty_body
-    options '/api/v1/registrant/auth/eid', {}
+    options '/api/v1/registrant/auth/eid', { 'Origin' => 'https://example.com' }
    assert_equal('', response.body)
  end
  def test_it_returns_cors_headers_for_other_requests
-    post '/api/v1/registrant/auth/eid', {}
+    post '/api/v1/registrant/auth/eid', {}, { 'Origin' => 'https://example.com' }
-    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+    assert_equal('https://example.com', response.headers['Access-Control-Allow-Origin'])
-    get '/api/v1/registrant/contacts', {}
+    get '/api/v1/registrant/contacts', {}, { 'Origin' => 'https://example.com' }
-    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+    assert_equal('https://example.com', response.headers['Access-Control-Allow-Origin'])
  end
 end