From 6c953e03269d3624d24b988b55a9505005bab67a Mon Sep 17 00:00:00 2001 From: Sean Macdonald Date: Sat, 4 Sep 2021 19:13:55 -0400 Subject: [PATCH] added flags for CORS header --- cmd/tusd/cli/flags.go | 2 ++ cmd/tusd/cli/serve.go | 5 +++++ pkg/handler/config.go | 11 +++++++++++ pkg/handler/unrouted_handler.go | 11 +++++++++-- 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/cmd/tusd/cli/flags.go b/cmd/tusd/cli/flags.go index 296928f..2954c5a 100644 --- a/cmd/tusd/cli/flags.go +++ b/cmd/tusd/cli/flags.go @@ -49,6 +49,7 @@ var Flags struct { ShowVersion bool ExposeMetrics bool MetricsPath string + CorsOrigin string BehindProxy bool VerboseOutput bool S3TransferAcceleration bool @@ -94,6 +95,7 @@ func ParseFlags() { flag.BoolVar(&Flags.ShowVersion, "version", false, "Print tusd version information") flag.BoolVar(&Flags.ExposeMetrics, "expose-metrics", true, "Expose metrics about tusd usage") flag.StringVar(&Flags.MetricsPath, "metrics-path", "/metrics", "Path under which the metrics endpoint will be accessible") + flag.StringVar(&Flags.CorsOrigin, "cors-origin", "", "Explicitly set Access-Control-Allow-Origin header") flag.BoolVar(&Flags.BehindProxy, "behind-proxy", false, "Respect X-Forwarded-* and similar headers which may be set by proxies") flag.BoolVar(&Flags.VerboseOutput, "verbose", true, "Enable verbose logging output") flag.BoolVar(&Flags.S3TransferAcceleration, "s3-transfer-acceleration", false, "Use AWS S3 transfer acceleration endpoint (requires -s3-bucket option and Transfer Acceleration property on S3 bucket to be set)") diff --git a/cmd/tusd/cli/serve.go b/cmd/tusd/cli/serve.go index aad6ad1..6ae58ec 100644 --- a/cmd/tusd/cli/serve.go +++ b/cmd/tusd/cli/serve.go @@ -26,6 +26,7 @@ func Serve() { config := handler.Config{ MaxSize: Flags.MaxSize, BasePath: Flags.Basepath, + CorsOrigin: Flags.CorsOrigin, RespectForwardedHeaders: Flags.BehindProxy, StoreComposer: Composer, NotifyCompleteUploads: true, @@ -100,6 +101,10 @@ func Serve() { protocol = "https" } + if Flags.CorsOrigin != "" { + stdout.Printf("CORS origin header is %s", Flags.CorsOrigin) + } + if Flags.HttpSock == "" { stdout.Printf("You can now upload files to: %s://%s%s", protocol, address, basepath) } diff --git a/pkg/handler/config.go b/pkg/handler/config.go index ae9676b..22da938 100644 --- a/pkg/handler/config.go +++ b/pkg/handler/config.go @@ -36,6 +36,10 @@ type Config struct { NotifyCreatedUploads bool // Logger is the logger to use internally, mostly for printing requests. Logger *log.Logger + // Explicitly set Access-Control-Allow-Origin in cases where RespectForwardedHeaders + // doesn't give you the desired result. This can be the case with some reverse proxies + // or a kubernetes setup with complex network routing rules + CorsOrigin string // Respect the X-Forwarded-Host, X-Forwarded-Proto and Forwarded headers // potentially set by proxies when generating an absolute URL in the // response to POST requests. @@ -82,5 +86,12 @@ func (config *Config) validate() error { return errors.New("tusd: StoreComposer in Config needs to contain a non-nil core") } + if config.CorsOrigin != "" && config.CorsOrigin != "*" && config.CorsOrigin != "null" { + _, err := url.ParseRequestURI(config.CorsOrigin) + if err != nil { + errors.New("tusd: CorsOrigin is not a valid URL") + } + } + return nil } diff --git a/pkg/handler/unrouted_handler.go b/pkg/handler/unrouted_handler.go index d9fadcd..e78c3bc 100644 --- a/pkg/handler/unrouted_handler.go +++ b/pkg/handler/unrouted_handler.go @@ -217,8 +217,15 @@ func (handler *UnroutedHandler) Middleware(h http.Handler) http.Handler { header := w.Header() - if origin := r.Header.Get("Origin"); origin != "" { - header.Set("Access-Control-Allow-Origin", origin) + var origin = handler.config.CorsOrigin + if origin == "" { + origin = r.Header.Get("Origin") + } + + if origin != "" { + + header.Set("Access-Control-Allow-Origin", origin) + header.Set("Vary", "Origin") if r.Method == "OPTIONS" { // Preflight request