Remove custom CORS controller for JiraConnect
What does this MR do and why?
This MR fixes a bug where JiraConnect controllers don't send the correct CORS headers.
We want the Access-Control-Allow-Origin
header to match the jira_connect_proxy_url
application setting. Only the configured URL is the allowed origin. I thought this wasn't possible using rack cors because origins are fixed values that are loaded at the application startup. Therefore, I created a custom solution that routes the OPTIONS requests to a controller, handling the headers.
It turned out that the solution never worked because rack cors intercepts all options requests before they reach the controller. I now found that it's possible to pass a block to the origins
method that solves the problem in a more elegant way and fixes the bug.
How to set up and validate locally
- Switch to the master branch
- Set the
jira_connect_proxy_url
setting.Gitlab::CurrentSettings.update(jira_connect_proxy_url: 'http://example.com')
- Check the response, headers of an OPTIONS request to one of the jira_connect endpoints.
curl -v --location --request OPTIONS 'http://127.0.0.1:3000/-/jira_connect/oauth_application_id' \ --header 'access-control-request-method: GET' \ --header 'Origin: http://example.com'
- The headers should not include the
Access-Control-Allow-Origin
header. - Switch to the
andysoiron/fix-jira_connect-cors-problems
branch and restart GDK to pick up the new settings. - Check the response, headers of an OPTIONS request to one of the jira_connect endpoints.
curl -v --location --request OPTIONS 'http://127.0.0.1:3000/-/jira_connect/oauth_application_id' \ --header 'access-control-request-method: GET' \ --header 'Origin: http://example.com'
- The response headers should now include the
Access-Control-Allow-Origin
header with the value ofhttp://example.com
. - Do the request again with another origin.
- Check the response, headers of an OPTIONS request to one of the jira_connect endpoints.
curl -v --location --request OPTIONS 'http://127.0.0.1:3000/-/jira_connect/oauth_application_id' \ --header 'access-control-request-method: GET' \ --header 'Origin: http://some_other_origin.com'
- The response headers should not include an
Access-Control-Allow-Origin
header.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.