add support for preflight requ (cors)

winixd/functions/functionbase.cpp

@@ -142,6 +142,61 @@ bool FunctionBase::HasAccess()
 }
 
 
+bool FunctionBase::IsCorsMethodAvailable(Request::Method method)
+{
+	return method == Request::get || method == Request::head || method == Request::post || method == Request::put ||
+		   method == Request::delete_ ||method == Request::patch;
+}
+
+
+bool FunctionBase::IsCorsOriginAvailable(const std::wstring & origin_url)
+{
+	// true by default for all urles
+	return true;
+}
+
+
+bool FunctionBase::AreCorsHeadersAvailable(const std::wstring & headers)
+{
+	// true by default for all headers
+	// headers are comma separated
+	return true;
+}
+
+
+/*
+ * method is the value of Access-Control-Request-Method header sent by the client
+ */
+void FunctionBase::AddAccessControlAllowMethodsHeader(Request::Method method)
+{
+	cur->request->AddHeader(Header::access_control_allow_methods, L"GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH");
+}
+
+
+/*
+ * origin_url is the value of Origin header sent by the client
+ */
+void FunctionBase::AddAccessControlAllowOriginHeader(const std::wstring & origin_url)
+{
+	cur->request->AddHeader(Header::access_control_allow_origin, origin_url);
+}
+
+
+/*
+ * headers is the value of Access-Control-Request-Headers header sent by the client
+ */
+void FunctionBase::AddAccessControlAllowHeadersHeader(const std::wstring & headers)
+{
+	cur->request->AddHeader(Header::access_control_allow_headers, headers);
+}
+
+
+void FunctionBase::AddAccessControlMaxAgeHeader()
+{
+	// default 24 hours
+	cur->request->AddHeader(Header::access_control_max_age, 86400);
+}
+
 
 void FunctionBase::MakeGet()
 {
@@ -174,12 +229,53 @@ void FunctionBase::MakeConnect()
 	// do nothing by default
 }
 
+
 void FunctionBase::MakeOptions()
 {
 	cur->request->http_status = Header::status_204_no_content;
-	cur->request->out_headers.add(Header::allow, L"OPTIONS, GET, HEAD, POST, DELETE");
+
+	pt::Space * cors_method = cur->request->headers_in.get_space_nc(L"Access_Control_Request_Method"); // FastCGI changes '-' to '_'
+	pt::Space * cors_headers = cur->request->headers_in.get_space_nc(L"Access_Control_Request_Headers");
+	pt::Space * cors_origin = cur->request->headers_in.get_space_nc(L"Origin");
+
+	if( cors_method && cors_origin && cors_method->is_wstr() && cors_origin->is_wstr() )
+	{
+		/*
+		 * this is a preflight request
+		 * https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
+		 * (we allow Access-Control-Request-Headers not to be present)
+		 */
+		Request::Method method = Request::CheckRequestMethod(cors_method->get_wstr()->c_str());
+
+		if( IsCorsMethodAvailable(method) && IsCorsOriginAvailable(*cors_origin->get_wstr()) )
+		{
+			bool cors_available = true;
+
+			if( cors_headers && cors_headers->is_wstr() )
+			{
+				cors_available = AreCorsHeadersAvailable(*cors_headers->get_wstr());
+			}
+
+			if( cors_available )
+			{
+				AddAccessControlAllowMethodsHeader(method);
+				AddAccessControlAllowOriginHeader(*cors_origin->get_wstr());
+				AddAccessControlMaxAgeHeader();
+
+				if( cors_headers && cors_headers->is_wstr() )
+				{
+					AddAccessControlAllowHeadersHeader(*cors_headers->get_wstr());
+				}
+			}
+		}
+	}
+	else
+	{
+		cur->request->out_headers.add(Header::allow, L"GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH");
+	}
 }
 
+
 void FunctionBase::MakeTrace()
 {
 	// do nothing by default