Skip to content

Remove custom CORS controller for JiraConnect

Andy Schoenen requested to merge andysoiron/fix-jira_connect-cors-problems into master

What does this MR do and why?

This MR fixes a bug where JiraConnect controllers don't send the correct CORS headers.

We want the Access-Control-Allow-Origin header to match the jira_connect_proxy_url application setting. Only the configured URL is the allowed origin. I thought this wasn't possible using rack cors because origins are fixed values that are loaded at the application startup. Therefore, I created a custom solution that routes the OPTIONS requests to a controller, handling the headers.

It turned out that the solution never worked because rack cors intercepts all options requests before they reach the controller. I now found that it's possible to pass a block to the origins method that solves the problem in a more elegant way and fixes the bug.

How to set up and validate locally

  1. Switch to the master branch
  2. Set the jira_connect_proxy_url setting. 
    Gitlab::CurrentSettings.update(jira_connect_proxy_url: 'http://example.com')
  3. Check the response, headers of an OPTIONS request to one of the jira_connect endpoints. 
    curl -v --location --request OPTIONS 'http://127.0.0.1:3000/-/jira_connect/oauth_application_id' \
--header 'access-control-request-method:  GET' \
--header 'Origin: http://example.com'
  4. The headers should not include the Access-Control-Allow-Origin header.
  5. Switch to the andysoiron/fix-jira_connect-cors-problems branch and restart GDK to pick up the new settings.
  6. Check the response, headers of an OPTIONS request to one of the jira_connect endpoints. 
    curl -v --location --request OPTIONS 'http://127.0.0.1:3000/-/jira_connect/oauth_application_id' \
--header 'access-control-request-method:  GET' \
--header 'Origin: http://example.com'
  7. The response headers should now include the Access-Control-Allow-Origin header with the value of http://example.com.
  8. Do the request again with another origin.
  9. Check the response, headers of an OPTIONS request to one of the jira_connect endpoints. 
    curl -v --location --request OPTIONS 'http://127.0.0.1:3000/-/jira_connect/oauth_application_id' \
--header 'access-control-request-method:  GET' \
--header 'Origin: http://some_other_origin.com'
  10. The response headers should not include an Access-Control-Allow-Origin header.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andy Schoenen

Merge request reports