Skip to main content

arcly_http/web/
cors.rs

1//! Config-driven CORS, applied as one stateless layer at launch.
2//!
3//! Off by default (`LaunchConfig::cors = None`) — zero per-request cost when
4//! disabled because the layer simply isn't mounted. When enabled, the per-
5//! request work is a header lookup against a boot-frozen origin list.
6//!
7//! Semantics follow the WHATWG fetch spec pragmatically:
8//! - Preflight (`OPTIONS` + `Access-Control-Request-Method`) from an allowed
9//!   origin short-circuits with `204` and the allow-headers — the request
10//!   never reaches routing, guards, or body read.
11//! - Actual requests from an allowed origin get `Access-Control-Allow-*`
12//!   response headers plus `Vary: Origin`.
13//! - `"*"` in `allow_origins` allows any origin. Combined with
14//!   `allow_credentials` the *specific* origin is echoed back (the spec
15//!   forbids `*` with credentials).
16
17use axum::body::Body;
18use axum::extract::Request;
19use axum::http::{HeaderValue, Method};
20use axum::middleware::Next;
21use axum::response::Response;
22
23/// CORS policy, frozen at launch.
24#[derive(Clone, Debug)]
25#[non_exhaustive]
26pub struct CorsConfig {
27    /// Exact origins (scheme + host + port), or `"*"` for any.
28    pub allow_origins: Vec<String>,
29    pub allow_methods: String,
30    pub allow_headers: String,
31    pub allow_credentials: bool,
32    pub max_age_secs: u32,
33}
34
35impl Default for CorsConfig {
36    fn default() -> Self {
37        Self {
38            allow_origins: vec![],
39            allow_methods: "GET, POST, PUT, PATCH, DELETE, OPTIONS".into(),
40            allow_headers: "content-type, authorization, x-request-id, x-tenant-id, \
41                            idempotency-key, traceparent"
42                .into(),
43            allow_credentials: false,
44            max_age_secs: 600,
45        }
46    }
47}
48
49impl CorsConfig {
50    /// Convenience: allow exactly these origins with credentials enabled —
51    /// the common SPA setup.
52    pub fn for_origins<I, S>(origins: I) -> Self
53    where
54        I: IntoIterator<Item = S>,
55        S: Into<String>,
56    {
57        Self {
58            allow_origins: origins.into_iter().map(Into::into).collect(),
59            allow_credentials: true,
60            ..Default::default()
61        }
62    }
63
64    pub fn allow_origins<I, S>(mut self, origins: I) -> Self
65    where
66        I: IntoIterator<Item = S>,
67        S: Into<String>,
68    {
69        self.allow_origins = origins.into_iter().map(Into::into).collect();
70        self
71    }
72    pub fn allow_methods(mut self, v: impl Into<String>) -> Self {
73        self.allow_methods = v.into();
74        self
75    }
76    pub fn allow_headers(mut self, v: impl Into<String>) -> Self {
77        self.allow_headers = v.into();
78        self
79    }
80    pub fn allow_credentials(mut self, v: bool) -> Self {
81        self.allow_credentials = v;
82        self
83    }
84    pub fn max_age_secs(mut self, v: u32) -> Self {
85        self.max_age_secs = v;
86        self
87    }
88
89    /// The origin value to echo for this request, if allowed.
90    fn allowed_origin(&self, origin: &str) -> Option<String> {
91        let any = self.allow_origins.iter().any(|o| o == "*");
92        if any && !self.allow_credentials {
93            return Some("*".to_owned());
94        }
95        if any || self.allow_origins.iter().any(|o| o == origin) {
96            return Some(origin.to_owned());
97        }
98        None
99    }
100}
101
102pub(crate) async fn apply_cors(cfg: &'static CorsConfig, req: Request, next: Next) -> Response {
103    let origin = req
104        .headers()
105        .get("origin")
106        .and_then(|v| v.to_str().ok())
107        .map(str::to_owned);
108
109    let allowed = origin.as_deref().and_then(|o| cfg.allowed_origin(o));
110
111    // Preflight: answer before routing/auth/body — but only for allowed origins.
112    let is_preflight = req.method() == Method::OPTIONS
113        && req.headers().contains_key("access-control-request-method");
114    if is_preflight {
115        let Some(echo) = allowed else {
116            // Disallowed origin: no CORS headers; the browser blocks it.
117            return Response::builder()
118                .status(403)
119                .body(Body::empty())
120                .expect("static preflight denial");
121        };
122        let mut resp = Response::builder()
123            .status(204)
124            .body(Body::empty())
125            .expect("static preflight response");
126        set_cors_headers(resp.headers_mut(), cfg, &echo);
127        resp.headers_mut().insert(
128            "access-control-max-age",
129            HeaderValue::from_str(&cfg.max_age_secs.to_string()).expect("numeric"),
130        );
131        return resp;
132    }
133
134    let mut resp = next.run(req).await;
135    if let Some(echo) = allowed {
136        set_cors_headers(resp.headers_mut(), cfg, &echo);
137    }
138    resp
139}
140
141fn set_cors_headers(headers: &mut axum::http::HeaderMap, cfg: &CorsConfig, origin: &str) {
142    if let Ok(v) = HeaderValue::from_str(origin) {
143        headers.insert("access-control-allow-origin", v);
144    }
145    if let Ok(v) = HeaderValue::from_str(&cfg.allow_methods) {
146        headers.insert("access-control-allow-methods", v);
147    }
148    if let Ok(v) = HeaderValue::from_str(&cfg.allow_headers) {
149        headers.insert("access-control-allow-headers", v);
150    }
151    if cfg.allow_credentials {
152        headers.insert(
153            "access-control-allow-credentials",
154            HeaderValue::from_static("true"),
155        );
156    }
157    headers.append("vary", HeaderValue::from_static("origin"));
158}