pylon-plugin 0.3.23

Pylon — realtime backend as a single Rust binary. Schema, policies, server functions, live queries, auth — one process.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

use crate::{Plugin, PluginError};
use pylon_auth::AuthContext;

/// CORS plugin. Validates request origins against an allowlist.
pub struct CorsPlugin {
    /// Allowed origins. Empty = allow all ("*").
    pub allowed_origins: Vec<String>,
    /// Whether to allow credentials.
    pub allow_credentials: bool,
}

impl CorsPlugin {
    /// Allow all origins.
    pub fn allow_all() -> Self {
        Self {
            allowed_origins: vec![],
            allow_credentials: false,
        }
    }

    /// Allow specific origins.
    pub fn new(origins: Vec<String>) -> Self {
        Self {
            allowed_origins: origins,
            allow_credentials: true,
        }
    }

    /// Check if an origin is allowed.
    pub fn is_allowed(&self, origin: &str) -> bool {
        if self.allowed_origins.is_empty() {
            return true; // wildcard
        }
        self.allowed_origins.iter().any(|o| o == origin || o == "*")
    }

    /// Get the Access-Control-Allow-Origin header value.
    pub fn allow_origin_header(&self, request_origin: Option<&str>) -> String {
        if self.allowed_origins.is_empty() {
            return "*".to_string();
        }
        match request_origin {
            Some(origin) if self.is_allowed(origin) => origin.to_string(),
            _ => String::new(),
        }
    }
}

impl Plugin for CorsPlugin {
    fn name(&self) -> &str {
        "cors"
    }

    fn on_request(
        &self,
        _method: &str,
        _path: &str,
        _auth: &AuthContext,
    ) -> Result<(), PluginError> {
        // CORS is handled at the HTTP layer (headers), not here.
        // This plugin provides the configuration; the server reads it.
        Ok(())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn allow_all() {
        let cors = CorsPlugin::allow_all();
        assert!(cors.is_allowed("http://localhost:3000"));
        assert!(cors.is_allowed("https://example.com"));
        assert_eq!(cors.allow_origin_header(Some("http://localhost:3000")), "*");
    }

    #[test]
    fn specific_origins() {
        let cors = CorsPlugin::new(vec![
            "http://localhost:3000".into(),
            "https://myapp.com".into(),
        ]);

        assert!(cors.is_allowed("http://localhost:3000"));
        assert!(cors.is_allowed("https://myapp.com"));
        assert!(!cors.is_allowed("https://evil.com"));
    }

    #[test]
    fn allow_origin_header_matches() {
        let cors = CorsPlugin::new(vec!["https://myapp.com".into()]);

        assert_eq!(
            cors.allow_origin_header(Some("https://myapp.com")),
            "https://myapp.com"
        );
        assert_eq!(cors.allow_origin_header(Some("https://evil.com")), "");
        assert_eq!(cors.allow_origin_header(None), "");
    }
}