CBG-4942 obey db scope for CORS.LoginOrigin (#7831)

Author: torcolvin

rest/cors_test.go

@@ -9,6 +9,7 @@
 package rest
 
 import (
+	"fmt"
 	"net/http"
 	"strconv"
 	"strings"
@@ -404,6 +405,74 @@ func TestCORSOriginPerDatabase(t *testing.T) {
 	}
 }
 
+func TestCORSLoginOriginPerDatabase(t *testing.T) {
+	// Override the default (example.com) CORS configuration in the DbConfig for /db:
+	rt := NewRestTesterPersistentConfigNoDB(t)
+	defer rt.Close()
+	dbConfig := rt.NewDbConfig()
+	dbConfig.CORS = &auth.CORSConfig{
+		Origin:      []string{"http://couchbase.com", "http://staging.couchbase.com"},
+		LoginOrigin: []string{"http://couchbase.com"},
+		Headers:     []string{},
+	}
+	RequireStatus(t, rt.CreateDatabase("dbloginorigin", dbConfig), http.StatusCreated)
+
+	const username = "alice"
+	rt.CreateUser(username, nil)
+
+	testCases := []struct {
+		name              string
+		origin            string
+		responseCode      int
+		responseErrorBody string
+	}{
+		{
+			name:         "CORS login origin allowed couchbase",
+			origin:       "http://couchbase.com",
+			responseCode: http.StatusOK,
+		},
+		{
+			name:              "CORS login origin not allowed staging",
+			origin:            "http://staging.couchbase.com",
+			responseCode:      http.StatusBadRequest,
+			responseErrorBody: "No CORS",
+		},
+	}
+	for _, test := range testCases {
+		rt.Run(test.name, func(t *testing.T) {
+			reqHeaders := map[string]string{
+				"Origin":        test.origin,
+				"Authorization": GetBasicAuthHeader(t, username, RestTesterDefaultUserPassword),
+			}
+			resp := rt.SendRequestWithHeaders(http.MethodPost, "/{{.db}}/_session", "", reqHeaders)
+			RequireStatus(t, resp, test.responseCode)
+			if test.responseErrorBody != "" {
+				require.Contains(t, resp.Body.String(), test.responseErrorBody)
+				// the access control headers are returned based on Origin and not LoginOrigin which could be considered a bug
+				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+			} else {
+				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+			}
+			if test.responseCode == http.StatusOK {
+				cookie, err := http.ParseSetCookie(resp.Header().Get("Set-Cookie"))
+				require.NoError(t, err)
+				require.NotEmpty(t, cookie.Path)
+				reqHeaders["Cookie"] = fmt.Sprintf("%s=%s", cookie.Name, cookie.Value)
+			}
+			resp = rt.SendRequestWithHeaders(http.MethodDelete, "/{{.db}}/_session", "", reqHeaders)
+			RequireStatus(t, resp, test.responseCode)
+			if test.responseErrorBody != "" {
+				require.Contains(t, resp.Body.String(), test.responseErrorBody)
+				// the access control headers are returned based on Origin and not LoginOrigin which could be considered a bug
+				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+			} else {
+				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+			}
+
+		})
+	}
+}
+
 func TestCORSValidation(t *testing.T) {
 	rt := NewRestTester(t, &RestTesterConfig{
 		PersistentConfig: true,

rest/facebook.go

@@ -12,7 +12,6 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/couchbase/sync_gateway/auth"
 	"github.com/couchbase/sync_gateway/base"
 )
 
@@ -26,18 +25,14 @@ type FacebookResponse struct {
 
 // POST /_facebook creates a facebook-based login session and sets its cookie.
 func (h *handler) handleFacebookPOST() error {
-	// CORS not allowed for login #115 #762
-	originHeader := h.rq.Header["Origin"]
-	if len(originHeader) > 0 {
-		matched := auth.MatchedOrigin(h.server.Config.API.CORS.LoginOrigin, originHeader)
-		if matched == "" {
-			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
-		}
+	err := h.checkLoginCORS()
+	if err != nil {
+		return err
 	}
 	var params struct {
 		AccessToken string `json:"access_token"`
 	}
-	err := h.readJSONInto(&params)
+	err = h.readJSONInto(&params)
 	if err != nil {
 		return err
 	}

rest/google.go

@@ -14,7 +14,6 @@ import (
 	"net/http"
 	"slices"
 
-	"github.com/couchbase/sync_gateway/auth"
 	"github.com/couchbase/sync_gateway/base"
 )
 
@@ -29,20 +28,16 @@ type GoogleResponse struct {
 
 // POST /_google creates a google-based login session and sets its cookie.
 func (h *handler) handleGooglePOST() error {
-	// CORS not allowed for login #115 #762
-	originHeader := h.rq.Header["Origin"]
-	if len(originHeader) > 0 {
-		matched := auth.MatchedOrigin(h.server.Config.API.CORS.LoginOrigin, originHeader)
-		if matched == "" {
-			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
-		}
+	err := h.checkLoginCORS()
+	if err != nil {
+		return err
 	}
 
 	var params struct {
 		IDToken string `json:"id_token"`
 	}
 
-	err := h.readJSONInto(&params)
+	err = h.readJSONInto(&params)
 	if err != nil {
 		return err
 	}

rest/handler.go

@@ -336,10 +336,7 @@ func (h *handler) validateAndWriteHeaders(method handlerMethod, accessPermission
 	defer func() {
 		// Now that we know the DB, add CORS headers to the response:
 		if h.privs != adminPrivs && h.privs != metricsPrivs {
-			cors := h.server.Config.API.CORS
-			if h.db != nil {
-				cors = h.db.CORS
-			}
+			cors := h.getCORSConfig()
 			if !cors.IsEmpty() {
 				cors.AddResponseHeaders(h.rq, h.response)
 			}
@@ -1784,3 +1781,11 @@ func (h *handler) pathTemplateContains(pattern string) bool {
 	}
 	return strings.Contains(pathTemplate, pattern)
 }
+
+// getCORSConfig will return the CORS config for the handler's database if set, otherwise it will return the server CORS config
+func (h *handler) getCORSConfig() *auth.CORSConfig {
+	if h.db != nil {
+		return h.db.CORS
+	}
+	return h.server.Config.API.CORS
+}

rest/session_api.go

@@ -36,16 +36,9 @@ func (h *handler) handleSessionGET() error {
 
 // POST /_session creates a login session and sets its cookie
 func (h *handler) handleSessionPOST() error {
-	// CORS not allowed for login #115 #762
-	originHeader := h.rq.Header["Origin"]
-	if len(originHeader) > 0 {
-		matched := ""
-		if h.server.Config.API.CORS != nil {
-			matched = auth.MatchedOrigin(h.server.Config.API.CORS.LoginOrigin, originHeader)
-		}
-		if matched == "" {
-			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
-		}
+	err := h.checkLoginCORS()
+	if err != nil {
+		return err
 	}
 
 	// NOTE: handleSessionPOST doesn't handle creating users from OIDC - checkPublicAuth calls out into AuthenticateUntrustedJWT.
@@ -100,18 +93,10 @@ func (h *handler) getUserFromSessionRequestBody() (auth.User, error) {
 
 // DELETE /_session logs out the current session
 func (h *handler) handleSessionDELETE() error {
-	// CORS not allowed for login #115 #762
-	originHeader := h.rq.Header["Origin"]
-	if len(originHeader) > 0 {
-		matched := ""
-		if h.server.Config.API.CORS != nil {
-			matched = auth.MatchedOrigin(h.server.Config.API.CORS.LoginOrigin, originHeader)
-		}
-		if matched == "" {
-			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
-		}
+	err := h.checkLoginCORS()
+	if err != nil {
+		return err
 	}
-
 	cookie := h.db.Authenticator(h.ctx()).DeleteSessionForCookie(h.ctx(), h.rq)
 	if cookie == nil {
 		return base.HTTPErrorf(http.StatusNotFound, "no session")
@@ -340,3 +325,16 @@ func (h *handler) formatSessionResponse(user auth.User) db.Body {
 	return response
 
 }
+
+// checkLoginCORS validates the auth.CORSConfig.LoginOrigin section of CORS for requests.
+// Note: Validation of the general Origin header against auth.CORSConfig.Origin happens separately in validateAndWriteHeaders.
+func (h *handler) checkLoginCORS() error {
+	originHeader := h.rq.Header["Origin"]
+	if len(originHeader) > 0 {
+		cors := h.getCORSConfig()
+		if cors.IsEmpty() || auth.MatchedOrigin(cors.LoginOrigin, originHeader) == "" {
+			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
+		}
+	}
+	return nil
+}

rest/session_test.go

@@ -41,17 +41,16 @@ func TestCORSLoginOriginOnSessionPost(t *testing.T) {
 
 // #issue 991
 func TestCORSLoginOriginOnSessionPostNoCORSConfig(t *testing.T) {
-	rt := NewRestTester(t, nil)
+	rt := NewRestTesterPersistentConfigNoDB(t)
 	defer rt.Close()
+	// Set CORS to nil, RestTester initializes CORS by default and it is inherited when creating a DatabaseContext
+	rt.ServerContext().Config.API.CORS = nil
 
+	RequireStatus(t, rt.CreateDatabase("db", rt.NewDbConfig()), http.StatusCreated)
 	reqHeaders := map[string]string{
 		"Origin": "http://example.com",
 	}
 
-	// Set CORS to nil
-	sc := rt.ServerContext()
-	sc.Config.API.CORS = nil
-
 	response := rt.SendRequestWithHeaders("POST", "/db/_session", `{"name":"jchris","password":"secret"}`, reqHeaders)
 	RequireStatus(t, response, 400)
 }
@@ -88,17 +87,21 @@ func TestCORSLogoutOriginOnSessionDelete(t *testing.T) {
 }
 
 func TestCORSLogoutOriginOnSessionDeleteNoCORSConfig(t *testing.T) {
-	rt := NewRestTester(t, &RestTesterConfig{GuestEnabled: true})
+	rt := NewRestTesterPersistentConfigNoDB(t)
 	defer rt.Close()
 
+	// Set CORS to nil, RestTester initializes CORS by default and it is inherited when creating a DatabaseContext
+	rt.ServerContext().Config.API.CORS = nil
+
+	const username = "alice"
+	RequireStatus(t, rt.CreateDatabase("db", rt.NewDbConfig()), http.StatusCreated)
+	rt.CreateUser(username, nil)
+
 	reqHeaders := map[string]string{
-		"Origin": "http://example.com",
+		"Origin":        "http://example.com",
+		"Authorization": GetBasicAuthHeader(t, username, RestTesterDefaultUserPassword),
 	}
 
-	// Set CORS to nil
-	sc := rt.ServerContext()
-	sc.Config.API.CORS = nil
-
 	response := rt.SendRequestWithHeaders("DELETE", "/db/_session", "", reqHeaders)
 	RequireStatus(t, response, 400)