bug: fix CORS issue (#1447)

Author: ethowitz

.circleci/config.yml

@@ -195,6 +195,7 @@ jobs:
             MYSQL_USER: test
             MYSQL_PASSWORD: test
             MYSQL_DATABASE: syncstorage
+    resource_class: large
     steps:
       - setup_remote_docker:
           docker_layer_caching: true

syncserver-settings/src/lib.rs

@@ -176,7 +176,7 @@ impl Default for Settings {
             statsd_host: Some("localhost".to_owned()),
             statsd_port: 8125,
             human_logs: false,
-            cors_allowed_origin: None,
+            cors_allowed_origin: Some("*".to_owned()),
             cors_allowed_methods: Some(
                 ["DELETE", "GET", "POST", "PUT"]
                     .into_iter()
@@ -187,7 +187,7 @@ impl Default for Settings {
                 [
                     "Authorization",
                     "Content-Type",
-                    "UserAgent",
+                    "User-Agent",
                     X_LAST_MODIFIED,
                     X_WEAVE_TIMESTAMP,
                     X_WEAVE_NEXT_OFFSET,
@@ -202,7 +202,7 @@ impl Default for Settings {
                 .map(String::from)
                 .collect(),
             ),
-            cors_max_age: None,
+            cors_max_age: Some(1728000),
             syncstorage: SyncstorageSettings::default(),
             tokenserver: TokenserverSettings::default(),
         }

syncserver/src/server/mod.rs

@@ -376,10 +376,6 @@ fn build_cors(settings: &Settings) -> Cors {
     // for finer grained specification.
     let mut cors = Cors::default();
 
-    if let Some(allowed_origin) = &settings.cors_allowed_origin {
-        cors = cors.allowed_origin(allowed_origin);
-    }
-
     if let Some(allowed_methods) = &settings.cors_allowed_methods {
         let mut methods = vec![];
         for method_string in allowed_methods {
@@ -396,6 +392,16 @@ fn build_cors(settings: &Settings) -> Cors {
         cors = cors.max_age(*max_age);
     }
 
+    // explicitly set the CORS allow origin, since Default does not
+    // appear to set the `allow-origins: *` header.
+    if let Some(ref origin) = settings.cors_allowed_origin {
+        if origin == "*" {
+            cors = cors.allow_any_origin();
+        } else {
+            cors = cors.allowed_origin(origin);
+        }
+    }
+
     cors
 }
 

tools/integration_tests/run.py

@@ -49,7 +49,7 @@ def start_server():
 
     os.environ.setdefault("SYNC_MASTER_SECRET", "secret0")
     os.environ.setdefault("SYNC_CORS_MAX_AGE", "555")
-    os.environ.setdefault("SYNC_CORS_ALLOWED_ORIGIN", "localhost")
+    os.environ.setdefault("SYNC_CORS_ALLOWED_ORIGIN", "*")
     mock_fxa_server_url = os.environ["MOCK_FXA_SERVER_URL"]
     url = "%s/v2" % mock_fxa_server_url
     os.environ["SYNC_TOKENSERVER__FXA_BROWSERID_SERVER_URL"] = url

tools/integration_tests/test_storage.py

@@ -2266,6 +2266,17 @@ def test_cors_settings_are_set(self):
             res.headers["access-control-allow-origin"], "localhost"
         )
 
+    def test_cors_allows_any_origin(self):
+        self.app.options(
+            self.root + "/__heartbeat__",
+            headers={
+                "Access-Control-Request-Method": "GET",
+                "Origin": "http://test-website.com",
+                "Access-Control-Request-Headers": "Content-Type"
+            },
+            status=200
+        )
+
     # PATCH is not a default allowed method, so request should return 405
     def test_patch_is_not_allowed(self):
         collection = self.root + "/storage/xxx_col1"