tideway 0.7.17

A batteries-included Rust web framework built on Axum for building SaaS applications quickly
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

use super::config::CorsConfig;
use axum::http::{HeaderValue, Method};
use std::time::Duration;
use tower_http::cors::{Any, CorsLayer};

/// Build a tower-http CorsLayer from a CorsConfig
pub fn build_cors_layer(config: &CorsConfig) -> Option<CorsLayer> {
    if !config.enabled {
        return None;
    }

    let mut layer = CorsLayer::new();

    // Configure allowed origins
    if config.allowed_origins.is_empty() {
        // No origins configured - don't set any allow_origin (most restrictive)
        // The layer will default to not allowing any origins
    } else if config.allowed_origins.len() == 1 && config.allowed_origins[0] == "*" {
        // Allow any origin
        layer = layer.allow_origin(Any);
    } else {
        // Allow specific origins
        let origins: Vec<HeaderValue> = config
            .allowed_origins
            .iter()
            .filter_map(|origin| origin.parse().ok())
            .collect();
        layer = layer.allow_origin(origins);
    }

    // Configure allowed methods
    let methods: Vec<Method> = config
        .allowed_methods
        .iter()
        .filter_map(|m| m.parse().ok())
        .collect();

    if !methods.is_empty() {
        layer = layer.allow_methods(methods);
    }

    // Configure allowed headers
    if config.allowed_headers.len() == 1 && config.allowed_headers[0] == "*" {
        layer = layer.allow_headers(Any);
    } else {
        let headers: Vec<_> = config
            .allowed_headers
            .iter()
            .filter_map(|h| h.parse().ok())
            .collect();
        if !headers.is_empty() {
            layer = layer.allow_headers(headers);
        }
    }

    // Configure exposed headers
    if !config.exposed_headers.is_empty() {
        let headers: Vec<_> = config
            .exposed_headers
            .iter()
            .filter_map(|h| h.parse().ok())
            .collect();
        if !headers.is_empty() {
            layer = layer.expose_headers(headers);
        }
    }

    // Configure credentials
    if config.allow_credentials {
        layer = layer.allow_credentials(true);
    }

    // Configure max age
    layer = layer.max_age(Duration::from_secs(config.max_age_seconds));

    Some(layer)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_disabled_cors() {
        let config = CorsConfig {
            enabled: false,
            ..Default::default()
        };
        let layer = build_cors_layer(&config);
        assert!(layer.is_none());
    }

    #[test]
    fn test_default_config_disabled() {
        // SECURITY: Default config has CORS disabled
        let config = CorsConfig::default();
        let layer = build_cors_layer(&config);
        assert!(layer.is_none(), "CORS should be disabled by default");
    }

    #[test]
    fn test_permissive_cors() {
        let config = CorsConfig::permissive();
        let layer = build_cors_layer(&config);
        assert!(layer.is_some());
    }

    #[test]
    fn test_specific_origins() {
        let config = CorsConfig::builder()
            .enabled(true)
            .allow_origin("https://example.com")
            .build();
        let layer = build_cors_layer(&config);
        assert!(layer.is_some());
    }

    #[test]
    fn test_empty_origins_enabled() {
        // If explicitly enabled but no origins, still creates a layer
        let config = CorsConfig::builder().enabled(true).build();
        let layer = build_cors_layer(&config);
        assert!(layer.is_some());
    }
}