Merge pull request #47 from caos/fix-cors

fix: cors
2020-08-24 08:19:29 +02:00 · 2020-08-24 08:19:29 +02:00 · b2b25c5b8c
commit b2b25c5b8c
parent 57cf8ee9c7 6e71c17f1d
5 changed files with 15 additions and 9 deletions
--- a/pkg/op/mock/storage.mock.go
+++ b/pkg/op/mock/storage.mock.go
@ -184,18 +184,18 @@ func (mr *MockStorageMockRecorder) GetUserinfoFromScopes(arg0, arg1, arg2 interf
 }

 // GetUserinfoFromToken mocks base method
-func (m *MockStorage) GetUserinfoFromToken(arg0 context.Context, arg1 string) (*oidc.Userinfo, error) {
+func (m *MockStorage) GetUserinfoFromToken(arg0 context.Context, arg1, arg2 string) (*oidc.Userinfo, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetUserinfoFromToken", arg0, arg1)
+	ret := m.ctrl.Call(m, "GetUserinfoFromToken", arg0, arg1, arg2)
 	ret0, _ := ret[0].(*oidc.Userinfo)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }

 // GetUserinfoFromToken indicates an expected call of GetUserinfoFromToken
-func (mr *MockStorageMockRecorder) GetUserinfoFromToken(arg0, arg1 interface{}) *gomock.Call {
+func (mr *MockStorageMockRecorder) GetUserinfoFromToken(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserinfoFromToken", reflect.TypeOf((*MockStorage)(nil).GetUserinfoFromToken), arg0, arg1)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserinfoFromToken", reflect.TypeOf((*MockStorage)(nil).GetUserinfoFromToken), arg0, arg1, arg2)
 }

 // Health mocks base method
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@ -35,12 +35,16 @@ var DefaultInterceptor = func(h http.HandlerFunc) http.HandlerFunc {
 	})
 }

+var allowAllOrigins = func(_ string) bool {
+	return true
+}
+
 func CreateRouter(o OpenIDProvider, h HttpInterceptor) *mux.Router {
 	if h == nil {
 		h = DefaultInterceptor
 	}
 	router := mux.NewRouter()
-	router.Use(handlers.CORS())
+	router.Use(handlers.CORS(handlers.AllowedOriginValidator(allowAllOrigins), handlers.AllowedHeaders([]string{"content-type"})))
 	router.HandleFunc(healthzEndpoint, Healthz)
 	router.HandleFunc(readinessEndpoint, o.HandleReady)
 	router.HandleFunc(oidc.DiscoveryEndpoint, o.HandleDiscovery)
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@ -29,7 +29,7 @@ type OPStorage interface {
 	GetClientByClientID(context.Context, string) (Client, error)
 	AuthorizeClientIDSecret(context.Context, string, string) error
 	GetUserinfoFromScopes(context.Context, string, []string) (*oidc.Userinfo, error)
-	GetUserinfoFromToken(context.Context, string) (*oidc.Userinfo, error)
+	GetUserinfoFromToken(context.Context, string, string) (*oidc.Userinfo, error)
 }

 type Storage interface {
--- a/pkg/op/userinfo.go
+++ b/pkg/op/userinfo.go
@ -5,9 +5,10 @@ import (
 	"net/http"
 	"strings"

+	"github.com/gorilla/schema"
+
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
-	"github.com/gorilla/schema"
 )

 type UserinfoProvider interface {
@ -27,8 +28,9 @@ func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoP
 		http.Error(w, "access token missing", http.StatusUnauthorized)
 		return
 	}
-	info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), tokenID)
+	info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), tokenID, r.Header.Get("origin"))
 	if err != nil {
+		w.WriteHeader(http.StatusForbidden)
 		utils.MarshalJSON(w, err)
 		return
 	}