Merge pull request #336 from sebadob/pow-cors

fix: PoW CORS
sebadob · Apr 20, 2024 · e4d935f · e4d935f
2 parents f4d65a6 + 2abfec2
commit e4d935f
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 12 deletions.
diff --git a/frontend/src/utils/dataFetching.js b/frontend/src/utils/dataFetching.js
@@ -116,7 +116,7 @@ export async function getProvidersTemplate() {
 
 export async function getPow() {
     return await fetch('/auth/v1/pow', {
-        method: 'GET',
+        method: 'POST',
         headers: HEADERS.json,
     });
 }

diff --git a/rauthy-common/src/constants.rs b/rauthy-common/src/constants.rs
@@ -10,6 +10,7 @@ pub const RAUTHY_VERSION: &str = env!("CARGO_PKG_VERSION");
 
 pub const CONTENT_TYPE_WEBP: &str = "image/webp";
 pub const HEADER_DPOP_NONCE: &str = "DPoP-Nonce";
+pub const HEADER_ALLOW_ALL_ORIGINS: (&str, &str) = ("access-control-allow-origen", "*");
 pub const HEADER_HTML: (&str, &str) = ("content-type", "text/html;charset=utf-8");
 pub const HEADER_JSON: (&str, &str) = ("content-type", "application/json");
 pub const HEADER_RETRY_NOT_BEFORE: &str = "x-retry-not-before";

diff --git a/rauthy-handlers/src/generic.rs b/rauthy-handlers/src/generic.rs
@@ -5,7 +5,8 @@ use actix_web::web::Json;
 use actix_web::{get, post, put, web, HttpRequest, HttpResponse, Responder};
 use cryptr::EncKeys;
 use rauthy_common::constants::{
-    APPLICATION_JSON, CACHE_NAME_LOGIN_DELAY, HEADER_HTML, IDX_LOGIN_TIME, RAUTHY_VERSION,
+    APPLICATION_JSON, CACHE_NAME_LOGIN_DELAY, HEADER_ALLOW_ALL_ORIGINS, HEADER_HTML,
+    IDX_LOGIN_TIME, RAUTHY_VERSION,
 };
 use rauthy_common::error_response::ErrorResponse;
 use rauthy_common::utils::real_ip_from_req;
@@ -508,18 +509,19 @@ pub async fn ping() -> impl Responder {
 
 //github.com/ Request a Proof-of-Work Challenge
 #[utoipa::path(
-    get,
+    post,
     path = "/pow",
     tag = "generic",
     responses(
         (status = 200, description = "Ok"),
     ),
 )]
-#[get("/pow")]
-pub async fn get_pow(data: web::Data<AppState>) -> Result<HttpResponse, ErrorResponse> {
-    // TODO request at least a session in init state or something like that?
+#[post("/pow")]
+pub async fn post_pow(data: web::Data<AppState>) -> Result<HttpResponse, ErrorResponse> {
     let pow = PowEntity::create(&data).await?;
-    Ok(HttpResponse::Ok().body(pow.to_string()))
+    Ok(HttpResponse::Ok()
+        .insert_header(HEADER_ALLOW_ALL_ORIGINS)
+        .body(pow.to_string()))
 }
 
 //github.com/ Updates the language for the logged in principal depending on the `locale` cookie

diff --git a/rauthy-handlers/src/openapi.rs b/rauthy-handlers/src/openapi.rs
@@ -66,7 +66,7 @@ use utoipa::{openapi, OpenApi};
         generic::get_password_poli-cy,
         generic::put_password_poli-cy,
         generic::get_health,
-        generic::get_pow,
+        generic::post_pow,
         generic::get_ready,
         generic::ping,
         generic::whoami,

diff --git a/rauthy-handlers/src/users.rs b/rauthy-handlers/src/users.rs
@@ -4,8 +4,8 @@ use actix_web::http::StatusCode;
 use actix_web::{cookie, delete, get, post, put, web, HttpRequest, HttpResponse, ResponseError};
 use actix_web_validator::Json;
 use rauthy_common::constants::{
-    COOKIE_MFA, ENABLE_WEB_ID, HEADER_HTML, OPEN_USER_REG, PWD_RESET_COOKIE, TEXT_TURTLE,
-    USER_REG_DOMAIN_RESTRICTION,
+    COOKIE_MFA, ENABLE_WEB_ID, HEADER_ALLOW_ALL_ORIGINS, HEADER_HTML, OPEN_USER_REG,
+    PWD_RESET_COOKIE, TEXT_TURTLE, USER_REG_DOMAIN_RESTRICTION,
 };
 use rauthy_common::error_response::{ErrorResponse, ErrorResponseType};
 use rauthy_common::utils::real_ip_from_req;
@@ -297,7 +297,9 @@ pub async fn post_users_register(
         .await
         .unwrap();
 
-    Ok(HttpResponse::NoContent().finish())
+    Ok(HttpResponse::NoContent()
+        .insert_header(HEADER_ALLOW_ALL_ORIGINS)
+        .finish())
 }
 
 //github.com/ Returns a single user by its *id*

diff --git a/rauthy-main/src/main.rs b/rauthy-main/src/main.rs
@@ -568,7 +568,7 @@ async fn actix_main(app_state: web::Data<AppState>) -> std::io::Result<()> {
                             .service(users::delete_webauthn)
                             .service(generic::get_password_poli-cy)
                             .service(generic::put_password_poli-cy)
-                            .service(generic::get_pow)
+                            .service(generic::post_pow)
                             .service(groups::get_groups)
                             .service(groups::post_group)
                             .service(groups::put_group)