From af3da0a26cb6d6018a9e2f9087b0b2a84406b12c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 10 Sep 2024 16:06:11 +0200 Subject: [PATCH] Set CORS headers for all .well-known responses So we don't have to consider it for reverse proxies etc. --- app/controllers/webfinger_controller.rb | 10 +--------- app/controllers/well_known_controller.rb | 8 ++++++++ spec/requests/webfinger_spec.rb | 6 ++++++ spec/requests/well_known_spec.rb | 6 ++++++ 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/app/controllers/webfinger_controller.rb b/app/controllers/webfinger_controller.rb index 2369313..dd6a9eb 100644 --- a/app/controllers/webfinger_controller.rb +++ b/app/controllers/webfinger_controller.rb @@ -1,8 +1,6 @@ -class WebfingerController < ApplicationController +class WebfingerController < WellKnownController before_action :allow_cross_origin_requests, only: [:show] - layout false - def show resource = params[:resource] @@ -91,10 +89,4 @@ class WebfingerController < ApplicationController } } end - - def allow_cross_origin_requests - return unless Rails.env.development? - headers['Access-Control-Allow-Origin'] = "*" - headers['Access-Control-Allow-Methods'] = "GET" - end end diff --git a/app/controllers/well_known_controller.rb b/app/controllers/well_known_controller.rb index 72443be..fd3c31d 100644 --- a/app/controllers/well_known_controller.rb +++ b/app/controllers/well_known_controller.rb @@ -1,5 +1,8 @@ class WellKnownController < ApplicationController before_action :require_nostr_enabled, only: [ :nostr ] + before_action :allow_cross_origin_requests, only: [ :nostr ] + + layout false def nostr http_status :unprocessable_entity and return if params[:name].blank? @@ -30,4 +33,9 @@ class WellKnownController < ApplicationController def require_nostr_enabled http_status :not_found unless Setting.nostr_enabled? end + + def allow_cross_origin_requests + headers['Access-Control-Allow-Origin'] = "*" + headers['Access-Control-Allow-Methods'] = "GET" + end end diff --git a/spec/requests/webfinger_spec.rb b/spec/requests/webfinger_spec.rb index 8bb0d93..ffc9b1b 100644 --- a/spec/requests/webfinger_spec.rb +++ b/spec/requests/webfinger_spec.rb @@ -94,6 +94,12 @@ RSpec.describe "WebFinger", type: :request do oauth_url = rs_link["properties"]["http://tools.ietf.org/html/rfc6749#section-4.2"] expect(oauth_url).to eql("http://www.example.com/rs/oauth/tony") end + + it "returns CORS headers" do + get "/.well-known/nostr.json?name=bobdylan" + expect(response.headers['Access-Control-Allow-Origin']).to eq("*") + expect(response.headers['Access-Control-Allow-Methods']).to eq('GET') + end end context "remoteStorage not enabled for user" do diff --git a/spec/requests/well_known_spec.rb b/spec/requests/well_known_spec.rb index 97c617f..a27f14c 100644 --- a/spec/requests/well_known_spec.rb +++ b/spec/requests/well_known_spec.rb @@ -46,6 +46,12 @@ RSpec.describe "Well-known URLs", type: :request do expect(res["names"]["bobdylan"]).to eq(user.nostr_pubkey) end + it "returns CORS headers" do + get "/.well-known/nostr.json?name=bobdylan" + expect(response.headers['Access-Control-Allow-Origin']).to eq("*") + expect(response.headers['Access-Control-Allow-Methods']).to eq('GET') + end + context "without relay configured" do before do Setting.nostr_relay_url = ""