From 09e0a96b708d9cc6e0f1318806fdca3e143d81b0 Mon Sep 17 00:00:00 2001
From: Maciej Szlosarczyk <maciej.szlosarczyk@eestiinternet.ee>
Date: Wed, 17 Oct 2018 11:22:52 +0300
Subject: [PATCH 1/2] Ensure cors headers are also returned for other requests

---
 app/controllers/api/v1/registrant/auth_controller.rb      | 5 +++++
 app/controllers/api/v1/registrant/base_controller.rb      | 5 +++++
 .../api/registrant/registrant_api_cors_headers_test.rb    | 8 ++++++++
 3 files changed, 18 insertions(+)

diff --git a/app/controllers/api/v1/registrant/auth_controller.rb b/app/controllers/api/v1/registrant/auth_controller.rb
index 929d5b5c9..78a0f832d 100644
--- a/app/controllers/api/v1/registrant/auth_controller.rb
+++ b/app/controllers/api/v1/registrant/auth_controller.rb
@@ -5,6 +5,7 @@ module Api
   module V1
     module Registrant
       class AuthController < ActionController::API
+        before_action :set_cors_header
         before_action :check_ip_whitelist
 
         rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
@@ -27,6 +28,10 @@ module Api
 
         private
 
+        def set_cors_header
+          response.headers['Access-Control-Allow-Origin'] = '*'
+        end
+
         def eid_params
           required_params = %i[ident first_name last_name]
           required_params.each_with_object(params) do |key, obj|
diff --git a/app/controllers/api/v1/registrant/base_controller.rb b/app/controllers/api/v1/registrant/base_controller.rb
index 4497d68e6..2afa916b6 100644
--- a/app/controllers/api/v1/registrant/base_controller.rb
+++ b/app/controllers/api/v1/registrant/base_controller.rb
@@ -5,6 +5,7 @@ module Api
   module V1
     module Registrant
       class BaseController < ActionController::API
+        before_action :set_cors_header
         before_action :authenticate
         before_action :set_paper_trail_whodunnit
 
@@ -17,6 +18,10 @@ module Api
 
         private
 
+        def set_cors_header
+          response.headers['Access-Control-Allow-Origin'] = '*'
+        end
+
         def bearer_token
           pattern = /^Bearer /
           header  = request.headers['Authorization']
diff --git a/test/integration/api/registrant/registrant_api_cors_headers_test.rb b/test/integration/api/registrant/registrant_api_cors_headers_test.rb
index 1445253fd..b5bb30d89 100644
--- a/test/integration/api/registrant/registrant_api_cors_headers_test.rb
+++ b/test/integration/api/registrant/registrant_api_cors_headers_test.rb
@@ -24,4 +24,12 @@ class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest
 
     assert_equal('', response.body)
   end
+
+  def test_it_returns_cors_headers_for_other_requests
+    post '/api/v1/registrant/auth/eid', {}
+    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+
+    get '/api/v1/registrant/contacts', {}
+    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+  end
 end

From 966d668ac8e5d7d1c006b0b72e350fdc4b7fe471 Mon Sep 17 00:00:00 2001
From: Maciej Szlosarczyk <maciej.szlosarczyk@eestiinternet.ee>
Date: Wed, 17 Oct 2018 11:38:12 +0300
Subject: [PATCH 2/2] Return Origin url instead of, as requested by ops

---
 app/controllers/api/cors_controller.rb             |  2 +-
 .../api/v1/registrant/auth_controller.rb           |  2 +-
 .../api/v1/registrant/base_controller.rb           |  2 +-
 .../registrant/registrant_api_cors_headers_test.rb | 14 +++++++-------
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/app/controllers/api/cors_controller.rb b/app/controllers/api/cors_controller.rb
index 102f9726f..cd4c1a8d3 100644
--- a/app/controllers/api/cors_controller.rb
+++ b/app/controllers/api/cors_controller.rb
@@ -9,7 +9,7 @@ module Api
     end
 
     def set_access_control_headers
-      response.headers['Access-Control-Allow-Origin'] = '*'
+      response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']
       response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, PATCH, DELETE, OPTIONS'
       response.headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, ' \
                                                          'Authorization, Token, Auth-Token, '\
diff --git a/app/controllers/api/v1/registrant/auth_controller.rb b/app/controllers/api/v1/registrant/auth_controller.rb
index 78a0f832d..c1fe3fbf8 100644
--- a/app/controllers/api/v1/registrant/auth_controller.rb
+++ b/app/controllers/api/v1/registrant/auth_controller.rb
@@ -29,7 +29,7 @@ module Api
         private
 
         def set_cors_header
-          response.headers['Access-Control-Allow-Origin'] = '*'
+          response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']
         end
 
         def eid_params
diff --git a/app/controllers/api/v1/registrant/base_controller.rb b/app/controllers/api/v1/registrant/base_controller.rb
index 2afa916b6..e7f4d1ad1 100644
--- a/app/controllers/api/v1/registrant/base_controller.rb
+++ b/app/controllers/api/v1/registrant/base_controller.rb
@@ -19,7 +19,7 @@ module Api
         private
 
         def set_cors_header
-          response.headers['Access-Control-Allow-Origin'] = '*'
+          response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']
         end
 
         def bearer_token
diff --git a/test/integration/api/registrant/registrant_api_cors_headers_test.rb b/test/integration/api/registrant/registrant_api_cors_headers_test.rb
index b5bb30d89..6bb768bc3 100644
--- a/test/integration/api/registrant/registrant_api_cors_headers_test.rb
+++ b/test/integration/api/registrant/registrant_api_cors_headers_test.rb
@@ -2,7 +2,7 @@ require 'test_helper'
 
 class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest
   def test_returns_200_response_code_for_options_request
-    options '/api/v1/registrant/auth/eid', {}
+    options '/api/v1/registrant/auth/eid', {}, { 'Origin' => 'https://example.com' }
 
     assert_equal('200', response.code)
   end
@@ -10,7 +10,7 @@ class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest
   def test_returns_expected_headers_for_options_requests
     options '/api/v1/registrant/auth/eid', {}, { 'Origin' => 'https://example.com' }
 
-    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+    assert_equal('https://example.com', response.headers['Access-Control-Allow-Origin'])
     assert_equal('POST, GET, PUT, PATCH, DELETE, OPTIONS',
                  response.headers['Access-Control-Allow-Methods'])
     assert_equal('Origin, Content-Type, Accept, Authorization, Token, Auth-Token, Email, ' \
@@ -20,16 +20,16 @@ class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest
   end
 
   def test_returns_empty_body
-    options '/api/v1/registrant/auth/eid', {}
+    options '/api/v1/registrant/auth/eid', { 'Origin' => 'https://example.com' }
 
     assert_equal('', response.body)
   end
 
   def test_it_returns_cors_headers_for_other_requests
-    post '/api/v1/registrant/auth/eid', {}
-    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+    post '/api/v1/registrant/auth/eid', {}, { 'Origin' => 'https://example.com' }
+    assert_equal('https://example.com', response.headers['Access-Control-Allow-Origin'])
 
-    get '/api/v1/registrant/contacts', {}
-    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+    get '/api/v1/registrant/contacts', {}, { 'Origin' => 'https://example.com' }
+    assert_equal('https://example.com', response.headers['Access-Control-Allow-Origin'])
   end
 end