Add preflight headers (#1829)

2025-02-23 20:47:01 +01:00 · 2023-07-09 12:06:40 +10:00 · 2023-07-09 12:06:40 +10:00 · a818cebc85
parent 0e53476a76
commit a818cebc85
2 changed files with 52 additions and 2 deletions
--- a/server/core/src/https/oauth2.rs
+++ b/server/core/src/https/oauth2.rs
@ -856,6 +856,16 @@ pub async fn oauth2_token_revoke_post(
    }
 }

+// Some requests from browsers require preflight so that CORS works.
+pub async fn oauth2_preflight_options() -> impl IntoResponse {
+    #[allow(clippy::unwrap_used)]
+    Response::builder()
+        .status(StatusCode::OK)
+        .header(ACCESS_CONTROL_ALLOW_ORIGIN, "*")
+        .body(Body::empty())
+        .unwrap()
+}
+
 pub fn oauth2_route_setup(state: ServerState) -> Router<ServerState> {
    // this has all the openid-related routes
    let openid_router = Router::new()
@ -863,13 +873,13 @@ pub fn oauth2_route_setup(state: ServerState) -> Router<ServerState> {
        // // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OIDC DISCOVERY URLS
        .route(
            "/oauth2/openid/:client_id/.well-known/openid-configuration",
-            get(oauth2_openid_discovery_get),
+            get(oauth2_openid_discovery_get).options(oauth2_preflight_options),
        )
        // // ⚠️  ⚠️   WARNING  ⚠️  ⚠️
        // // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OIDC DISCOVERY URLS
        .route(
            "/oauth2/openid/:client_id/userinfo",
-            get(oauth2_openid_userinfo_get),
+            get(oauth2_openid_userinfo_get).options(oauth2_preflight_options),
        )
        // // ⚠️  ⚠️   WARNING  ⚠️  ⚠️
        // // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OIDC DISCOVERY URLS
--- a/server/testkit/tests/oauth2_test.rs
+++ b/server/testkit/tests/oauth2_test.rs
@ -132,6 +132,27 @@ async fn test_oauth2_openid_basic_flow(rsclient: KanidmClient) {
        .expect("Failed to create client.");

    // Step 0 - get the openid discovery details and the public key.
+    let response = client
+        .request(
+            reqwest::Method::OPTIONS,
+            format!(
+                "{}/oauth2/openid/test_integration/.well-known/openid-configuration",
+                url
+            ),
+        )
+        .send()
+        .await
+        .expect("Failed to send discovery preflight request.");
+
+    assert!(response.status() == reqwest::StatusCode::OK);
+    let cors_header: &str = response
+        .headers()
+        .get("access-control-allow-origin")
+        .expect("missing access-control-allow-origin header")
+        .to_str()
+        .expect("invalid access-control-allow-origin header");
+    assert!(cors_header.eq("*"));
+
    let response = client
        .get(format!(
            "{}/oauth2/openid/test_integration/.well-known/openid-configuration",
@ -607,6 +628,25 @@ async fn test_oauth2_openid_public_flow(rsclient: KanidmClient) {
    assert!(oidc.s_claims.email.as_deref() == Some("oauth_test@localhost"));
    assert!(oidc.s_claims.email_verified == Some(true));

+    // Check the preflight works.
+    let response = client
+        .request(
+            reqwest::Method::OPTIONS,
+            format!("{}/oauth2/openid/test_integration/userinfo", url),
+        )
+        .send()
+        .await
+        .expect("Failed to send userinfo preflight request.");
+
+    assert!(response.status() == reqwest::StatusCode::OK);
+    let cors_header: &str = response
+        .headers()
+        .get("access-control-allow-origin")
+        .expect("missing access-control-allow-origin header")
+        .to_str()
+        .expect("invalid access-control-allow-origin header");
+    assert!(cors_header.eq("*"));
+
    let response = client
        .get(format!("{}/oauth2/openid/test_integration/userinfo", url))
        .bearer_auth(atr.access_token.clone())