Allow Access-Control-Max-Age customization (#1069)

The change gives ability to control the cache age of the preflight
requests to Cross-Origin resources.

The default value remains 10 minutes.

Author: regeda

go/grpcweb/DOC.md

@@ -118,6 +118,17 @@ endpoints (e.g. for proxying).
 The default behaviour is `true`, i.e. only allows CORS requests for registered
 endpoints.
 
+#### func  WithCorsMaxAge
+
+```go
+func WithCorsMaxAge(maxAge time.Duration) Option
+```
+WithCorsMaxAge customize the `Access-Control-Max-Age: <delta-seconds>` header
+which controls the cache age for a CORS preflight request that checks to see if
+the CORS protocol is understood.
+
+The default age is 10 minutes.
+
 #### func  WithEndpointsFunc
 
 ```go

go/grpcweb/options.go

@@ -14,12 +14,14 @@ var (
 		corsForRegisteredEndpointsOnly: true,
 		originFunc:                     func(origin string) bool { return false },
 		allowNonRootResources:          false,
+		corsMaxAge:                     10 * time.Minute,
 	}
 )
 
 type options struct {
 	allowedRequestHeaders          []string
 	corsForRegisteredEndpointsOnly bool
+	corsMaxAge                     time.Duration
 	originFunc                     func(origin string) bool
 	enableWebsockets               bool
 	websocketPingInterval          time.Duration
@@ -68,6 +70,16 @@ func WithCorsForRegisteredEndpointsOnly(onlyRegistered bool) Option {
 	}
 }
 
+// WithCorsMaxAge customize the `Access-Control-Max-Age: <delta-seconds>` header which controls the cache age for a CORS preflight
+// request that checks to see if the CORS protocol is understood.
+//
+// The default age is 10 minutes.
+func WithCorsMaxAge(maxAge time.Duration) Option {
+	return func(o *options) {
+		o.corsMaxAge = maxAge
+	}
+}
+
 // WithEndpointsFunc allows for providing a custom function that provides all supported endpoints for use when the
 // when `WithCorsForRegisteredEndpoints` option` is not set to false (i.e. the default state).
 //

go/grpcweb/wrapper.go

@@ -70,9 +70,9 @@ func wrapGrpc(options []Option, handler http.Handler, endpointsFunc func() []str
 	corsWrapper := cors.New(cors.Options{
 		AllowOriginFunc:  opts.originFunc,
 		AllowedHeaders:   allowedHeaders,
-		ExposedHeaders:   nil,                                 // make sure that this is *nil*, otherwise the WebResponse overwrite will not work.
-		AllowCredentials: true,                                // always allow credentials, otherwise :authorization headers won't work
-		MaxAge:           int(10 * time.Minute / time.Second), // make sure pre-flights don't happen too often (every 5s for Chromium :( )
+		ExposedHeaders:   nil,  // make sure that this is *nil*, otherwise the WebResponse overwrite will not work.
+		AllowCredentials: true, // always allow credentials, otherwise :authorization headers won't work
+		MaxAge:           int(opts.corsMaxAge.Seconds()),
 	})
 	websocketOriginFunc := opts.websocketOriginFunc
 	if websocketOriginFunc == nil {
@@ -120,7 +120,7 @@ func (w *WrappedGrpcServer) ServeHTTP(resp http.ResponseWriter, req *http.Reques
 				return
 			}
 		}
-		resp.WriteHeader(403)
+		resp.WriteHeader(http.StatusForbidden)
 		_, _ = resp.Write(make([]byte, 0))
 		return
 	}

go/grpcweb/wrapper_test.go

@@ -449,6 +449,33 @@ func (s *GrpcWebWrapperTestSuite) TestCORSPreflight_AllowedByOriginFunc() {
 	assert.Equal(s.T(), 500, corsResp.StatusCode, "cors should return 500 as grpc server does not understand that endpoint")
 }
 
+func (s *GrpcWebWrapperTestSuite) TestCORSPreflight_CorsMaxAge() {
+	/**
+	OPTIONS /improbable.grpcweb.test.TestService/Ping
+	Access-Control-Request-Method: POST
+	Access-Control-Request-Headers: origin, x-requested-with, accept
+	Origin: http://foo.client.com
+	*/
+	headers := http.Header{}
+	headers.Add("Access-Control-Request-Method", "POST")
+	headers.Add("Access-Control-Request-Headers", "origin, x-something-custom, x-grpc-web, accept")
+	headers.Add("Origin", "https://foo.client.com")
+
+	// Create a new server which customizes a cache time of the preflight request to a Cross-Origin Resource.
+	s.wrappedServer = grpcweb.WrapServer(s.grpcServer,
+		grpcweb.WithOriginFunc(func(string) bool {
+			return true
+		}),
+		grpcweb.WithCorsMaxAge(time.Hour),
+	)
+
+	corsResp, err := s.makeRequest("OPTIONS", "/improbable.grpcweb.test.TestService/PingList", headers, nil, false)
+	assert.NoError(s.T(), err, "cors preflight should not return errors")
+
+	preflight := corsResp.Header
+	assert.Equal(s.T(), "3600", preflight.Get("Access-Control-Max-Age"), "allowed max age must be in the response headers")
+}
+
 func (s *GrpcWebWrapperTestSuite) TestCORSPreflight_EndpointsOnlyTrueWithHandlerFunc() {
 	/**
 	OPTIONS /improbable.grpcweb.test.TestService/Ping