jerrycan-core 0.2.0

Core of the jerrycan framework: routing, extractors, dependency injection, middleware. https://jerrycan.cc
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253

//! CORS (spec §v2.2). Lives in core because preflight must be answered BEFORE
//! routing (an `OPTIONS` to a method-mismatched route is rejected 405 before
//! any middleware runs), so CORS is a pre-routing + response-decoration concern
//! integrated into `route_policy`/dispatch in later tasks — not a `Middleware`.

use crate::response::{JcBody, Response};
use http::{HeaderValue, Method, StatusCode, header};
use std::time::Duration;

/// Which origins may make cross-origin requests.
#[derive(Clone, Debug)]
pub enum CorsOrigins {
    /// Any origin (`Access-Control-Allow-Origin: *`). Invalid with credentials —
    /// `App::build` refuses the combination.
    Any,
    /// An exact-match allowlist of origin strings (scheme + host + optional port).
    List(Vec<String>),
}

impl CorsOrigins {
    pub fn any() -> Self {
        Self::Any
    }
    pub fn list<I, S>(origins: I) -> Self
    where
        I: IntoIterator<Item = S>,
        S: Into<String>,
    {
        Self::List(origins.into_iter().map(Into::into).collect())
    }
}

/// CORS policy. Build with `CorsConfig::new(origins)`, chain options, install
/// with `App::cors(config)`.
#[derive(Clone, Debug)]
pub struct CorsConfig {
    origins: CorsOrigins,
    methods: Vec<http::Method>, // empty => reflect the route's real methods on preflight
    headers: Vec<String>,       // empty => reflect Access-Control-Request-Headers
    expose: Vec<String>,
    allow_credentials: bool,
    max_age: Option<Duration>,
}

impl CorsConfig {
    pub fn new(origins: CorsOrigins) -> Self {
        Self {
            origins,
            methods: Vec::new(),
            headers: Vec::new(),
            expose: Vec::new(),
            allow_credentials: false,
            max_age: None,
        }
    }
    pub fn allow_credentials(mut self, yes: bool) -> Self {
        self.allow_credentials = yes;
        self
    }
    pub fn max_age(mut self, d: Duration) -> Self {
        self.max_age = Some(d);
        self
    }
    pub fn allow_methods<I: IntoIterator<Item = http::Method>>(mut self, m: I) -> Self {
        self.methods = m.into_iter().collect();
        self
    }
    pub fn allow_headers<I: IntoIterator<Item = S>, S: Into<String>>(mut self, h: I) -> Self {
        self.headers = h.into_iter().map(Into::into).collect();
        self
    }
    pub fn expose_headers<I: IntoIterator<Item = S>, S: Into<String>>(mut self, h: I) -> Self {
        self.expose = h.into_iter().map(Into::into).collect();
        self
    }

    /// Public reader (the builder method `allow_credentials(bool)` can't share the name).
    pub fn allow_credentials_enabled(&self) -> bool {
        self.allow_credentials
    }

    /// True if `origin` is permitted. `Any` matches everything; `List` is exact.
    pub fn allows_origin(&self, origin: &str) -> bool {
        match &self.origins {
            CorsOrigins::Any => true,
            CorsOrigins::List(list) => list.iter().any(|o| o == origin),
        }
    }

    /// Configured `allow_methods` (empty => reflect the route's real methods).
    pub(crate) fn cfg_methods(&self) -> &[http::Method] {
        &self.methods
    }
    /// Configured `allow_headers` (empty => reflect `Access-Control-Request-Headers`).
    pub(crate) fn cfg_headers(&self) -> &[String] {
        &self.headers
    }
    /// Configured `Access-Control-Max-Age`, if set.
    pub(crate) fn cfg_max_age(&self) -> Option<std::time::Duration> {
        self.max_age
    }
    /// Whether `Access-Control-Allow-Credentials: true` is emitted.
    pub(crate) fn credentials(&self) -> bool {
        self.allow_credentials
    }
    /// Configured `expose_headers` (empty => no `Access-Control-Expose-Headers`).
    pub(crate) fn cfg_expose(&self) -> &[String] {
        &self.expose
    }

    /// Validate at build time: `*` + credentials is forbidden by the Fetch spec
    /// and is a footgun, so it is a build error, not a runtime surprise.
    pub(crate) fn validate(&self) -> crate::Result<()> {
        if self.allow_credentials && matches!(self.origins, CorsOrigins::Any) {
            return Err(crate::Error::internal(
                "CORS misconfiguration: allow_credentials(true) cannot be combined with CorsOrigins::any() — list explicit origins",
            ));
        }
        Ok(())
    }
}

/// Is this request a CORS preflight? (`OPTIONS` + `Origin` +
/// `Access-Control-Request-Method`). All three are required by the Fetch spec;
/// a bare `OPTIONS` (no origin/no ACRM) is a normal request, not a preflight.
pub(crate) fn is_preflight(parts: &http::request::Parts) -> bool {
    parts.method == Method::OPTIONS
        && parts.headers.contains_key(header::ORIGIN)
        && parts
            .headers
            .contains_key(header::ACCESS_CONTROL_REQUEST_METHOD)
}

/// Build the CORS preflight `204` for an ALLOWED origin. `allowed_methods` are
/// the route's real methods (used when the config doesn't pin `allow_methods`).
/// Returns a bare `204` carrying ONLY CORS headers — deliberately no security
/// headers, since `cache-control: no-store` would fight `Access-Control-Max-Age`.
pub(crate) fn preflight_response(
    config: &CorsConfig,
    origin: &str,
    request_headers: Option<&str>,
    allowed_methods: &[Method],
) -> Response {
    let mut r = http::Response::new(JcBody::empty());
    *r.status_mut() = StatusCode::NO_CONTENT;
    let h = r.headers_mut();
    if let Ok(v) = HeaderValue::from_str(origin) {
        h.insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, v);
        h.insert(header::VARY, HeaderValue::from_static("Origin"));
    }
    if config.credentials() {
        h.insert(
            header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
            HeaderValue::from_static("true"),
        );
    }
    let methods = if config.cfg_methods().is_empty() {
        allowed_methods
    } else {
        config.cfg_methods()
    };
    let methods_joined = methods
        .iter()
        .map(Method::as_str)
        .collect::<Vec<_>>()
        .join(", ");
    if let Ok(v) = HeaderValue::from_str(&methods_joined) {
        h.insert(header::ACCESS_CONTROL_ALLOW_METHODS, v);
    }
    let allow_headers = if config.cfg_headers().is_empty() {
        request_headers.map(str::to_string)
    } else {
        Some(config.cfg_headers().join(", "))
    };
    if let Some(hdrs) = allow_headers
        && let Ok(v) = HeaderValue::from_str(&hdrs)
    {
        h.insert(header::ACCESS_CONTROL_ALLOW_HEADERS, v);
    }
    if let Some(age) = config.cfg_max_age()
        && let Ok(v) = HeaderValue::from_str(&age.as_secs().to_string())
    {
        h.insert(header::ACCESS_CONTROL_MAX_AGE, v);
    }
    r
}

/// Decorate an actual (non-preflight) response with CORS headers for an allowed
/// origin. Insert-if-absent so handler-set values win; APPEND `Vary: Origin`
/// (don't clobber a content-negotiation Vary). No-op for a same-origin request
/// (no Origin) or a disallowed origin. `origin` is the request's Origin header
/// value (already extracted); the matching/echo is fallible and skips on bad bytes.
pub(crate) fn apply_cors(res: &mut Response, origin: Option<&HeaderValue>, config: &CorsConfig) {
    let Some(origin) = origin.and_then(|v| v.to_str().ok()) else {
        return;
    };
    if !config.allows_origin(origin) {
        return;
    }
    let Ok(origin_val) = HeaderValue::from_str(origin) else {
        return;
    };
    let h = res.headers_mut();
    if !h.contains_key(header::ACCESS_CONTROL_ALLOW_ORIGIN) {
        h.insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin_val);
    }
    if config.credentials() && !h.contains_key(header::ACCESS_CONTROL_ALLOW_CREDENTIALS) {
        h.insert(
            header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
            HeaderValue::from_static("true"),
        );
    }
    if !config.cfg_expose().is_empty()
        && !h.contains_key(header::ACCESS_CONTROL_EXPOSE_HEADERS)
        && let Ok(v) = HeaderValue::from_str(&config.cfg_expose().join(", "))
    {
        h.insert(header::ACCESS_CONTROL_EXPOSE_HEADERS, v);
    }
    // Vary: Origin — append unless already present (caches must not serve a
    // wrong-origin response). Check existing Vary values case-insensitively.
    let has_origin_vary = h.get_all(header::VARY).iter().any(|v| {
        v.to_str()
            .map(|s| {
                s.split(',')
                    .any(|p| p.trim().eq_ignore_ascii_case("origin"))
            })
            .unwrap_or(false)
    });
    if !has_origin_vary {
        h.append(header::VARY, HeaderValue::from_static("Origin"));
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn config_builder_shapes_origins_and_credentials() {
        let c = CorsConfig::new(CorsOrigins::list(["https://app.example"]))
            .allow_credentials(true)
            .max_age(std::time::Duration::from_secs(600));
        assert!(c.allows_origin("https://app.example"));
        assert!(!c.allows_origin("https://evil.example"));
        assert!(c.allow_credentials_enabled());
    }

    #[test]
    fn any_origin_allows_everything() {
        let c = CorsConfig::new(CorsOrigins::any());
        assert!(c.allows_origin("https://whatever.example"));
    }
}