Set CORS headers for all .well-known responses

So we don't have to consider it for reverse proxies etc.
2024-09-10 16:06:11 +02:00 · 2024-09-10 16:06:11 +02:00 · af3da0a26c
commit af3da0a26c
parent 45137e0cfe
4 changed files with 21 additions and 9 deletions
--- a/app/controllers/webfinger_controller.rb
+++ b/app/controllers/webfinger_controller.rb
@ -1,8 +1,6 @@
-class WebfingerController < ApplicationController
+class WebfingerController < WellKnownController
  before_action :allow_cross_origin_requests, only: [:show]

-  layout false
-
  def show
    resource = params[:resource]

@ -91,10 +89,4 @@ class WebfingerController < ApplicationController
      }
    }
  end
-
-  def allow_cross_origin_requests
-    return unless Rails.env.development?
-    headers['Access-Control-Allow-Origin'] = "*"
-    headers['Access-Control-Allow-Methods'] = "GET"
-  end
 end
--- a/app/controllers/well_known_controller.rb
+++ b/app/controllers/well_known_controller.rb
@ -1,5 +1,8 @@
 class WellKnownController < ApplicationController
  before_action :require_nostr_enabled, only: [ :nostr ]
+  before_action :allow_cross_origin_requests, only: [ :nostr ]
+
+  layout false

  def nostr
    http_status :unprocessable_entity and return if params[:name].blank?
@ -30,4 +33,9 @@ class WellKnownController < ApplicationController
    def require_nostr_enabled
      http_status :not_found unless Setting.nostr_enabled?
    end
+
+    def allow_cross_origin_requests
+      headers['Access-Control-Allow-Origin'] = "*"
+      headers['Access-Control-Allow-Methods'] = "GET"
+    end
 end
--- a/spec/requests/webfinger_spec.rb
+++ b/spec/requests/webfinger_spec.rb
@ -94,6 +94,12 @@ RSpec.describe "WebFinger", type: :request do
          oauth_url = rs_link["properties"]["http://tools.ietf.org/html/rfc6749#section-4.2"]
          expect(oauth_url).to eql("http://www.example.com/rs/oauth/tony")
        end
+
+        it "returns CORS headers" do
+          get "/.well-known/nostr.json?name=bobdylan"
+          expect(response.headers['Access-Control-Allow-Origin']).to eq("*")
+          expect(response.headers['Access-Control-Allow-Methods']).to eq('GET')
+        end
      end

      context "remoteStorage not enabled for user" do
--- a/spec/requests/well_known_spec.rb
+++ b/spec/requests/well_known_spec.rb
@ -46,6 +46,12 @@ RSpec.describe "Well-known URLs", type: :request do
        expect(res["names"]["bobdylan"]).to eq(user.nostr_pubkey)
      end

+      it "returns CORS headers" do
+        get "/.well-known/nostr.json?name=bobdylan"
+        expect(response.headers['Access-Control-Allow-Origin']).to eq("*")
+        expect(response.headers['Access-Control-Allow-Methods']).to eq('GET')
+      end
+
      context "without relay configured" do
        before do
          Setting.nostr_relay_url = ""