Enhancement: Made CORS Preflight Check specification conform.

2020-02-13 11:49:33 +01:00 · 2020-02-13 11:49:33 +01:00 · 1cbb139476
commit 1cbb139476
parent 49b0ca4d58
4 changed files with 30 additions and 12 deletions
--- a/app/controllers/application_controller/sets_headers.rb
+++ b/app/controllers/application_controller/sets_headers.rb
@ -35,19 +35,12 @@ module ApplicationController::SetsHeaders
  # request, return only the necessary headers and return an empty
  # text/plain.
  def cors_preflight_check
-    return true if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth'
-
-    cors_preflight_check_execute
-  end
-
-  def cors_preflight_check_execute
-    return true if request.method != 'OPTIONS'
+    return if request.method != 'OPTIONS'

    headers['Access-Control-Allow-Origin']      = '*'
    headers['Access-Control-Allow-Methods']     = 'POST, GET, PUT, DELETE, PATCH, OPTIONS'
    headers['Access-Control-Allow-Headers']     = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
    headers['Access-Control-Max-Age']           = '1728000'
-    render text: '', content_type: 'text/plain'
-    false
+    render plain: ''
  end
 end
--- a/app/controllers/form_controller.rb
+++ b/app/controllers/form_controller.rb
@ -2,7 +2,7 @@

 class FormController < ApplicationController
  skip_before_action :verify_csrf_token
-  before_action :cors_preflight_check_execute
+  before_action :cors_preflight_check
  after_action :set_access_control_headers_execute
  skip_before_action :user_device_check

--- a/config/routes.rb
+++ b/config/routes.rb
@ -6,6 +6,7 @@ Rails.application.routes.draw do

  # just remember to delete public/index.html.
  root to: 'init#index', via: :get
+  root to: 'errors#routing', via: %i[post put delete options]

  # load routes from external files
  dir = File.expand_path(__dir__)
@ -18,6 +19,5 @@ Rails.application.routes.draw do
    end
  end

-  match '*a', to: 'errors#routing', via: %i[get post put delete]
-
+  match '*a', to: 'errors#routing', via: %i[get post put delete options]
 end
--- a/spec/requests/cors_preflight_check_spec.rb
+++ b/spec/requests/cors_preflight_check_spec.rb
@ -0,0 +1,25 @@
+require 'rails_helper'
+
+RSpec.describe 'CORS Preflight Check', type: :request do
+
+  shared_examples 'empty response' do
+    it { expect(response).to have_http_status(:ok) }
+    it { expect(response.body).to be_empty }
+  end
+
+  context 'valid route' do
+    before do
+      process :options, '/'
+    end
+
+    include_examples 'empty response'
+  end
+
+  context 'invalid route' do
+    before do
+      process :options, '/this_is_an_invalid_route'
+    end
+
+    include_examples 'empty response'
+  end
+end