userver-framework
diff --git a/‎.mapping.json‎
Lines changed: 8 additions & 0 deletions b/‎.mapping.json‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎core/CMakeLists.txt‎
Lines changed: 1 addition & 0 deletions b/‎core/CMakeLists.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎core/include/userver/server/http/http_method.hpp‎
Lines changed: 7 additions & 0 deletions b/‎core/include/userver/server/http/http_method.hpp‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎core/include/userver/server/middlewares/cors.hpp‎
Lines changed: 123 additions & 0 deletions b/‎core/include/userver/server/middlewares/cors.hpp‎
Lines changed: 123 additions & 0 deletions
diff --git a/‎core/src/server/http/http_method.cpp‎
Lines changed: 7 additions & 0 deletions b/‎core/src/server/http/http_method.cpp‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎core/src/server/middlewares/cors.cpp‎
Lines changed: 188 additions & 0 deletions b/‎core/src/server/middlewares/cors.cpp‎
Lines changed: 188 additions & 0 deletions
@@ -1090,6 +1090,7 @@
   "core/include/userver/server/http/http_status.hpp":"taxi/uservices/userver/core/include/userver/server/http/http_status.hpp",
   "core/include/userver/server/middlewares/builtin.hpp":"taxi/uservices/userver/core/include/userver/server/middlewares/builtin.hpp",
   "core/include/userver/server/middlewares/configuration.hpp":"taxi/uservices/userver/core/include/userver/server/middlewares/configuration.hpp",
+  "core/include/userver/server/middlewares/cors.hpp":"taxi/uservices/userver/core/include/userver/server/middlewares/cors.hpp",
   "core/include/userver/server/middlewares/headers_propagator.hpp":"taxi/uservices/userver/core/include/userver/server/middlewares/headers_propagator.hpp",
   "core/include/userver/server/middlewares/http_middleware_base.hpp":"taxi/uservices/userver/core/include/userver/server/middlewares/http_middleware_base.hpp",
   "core/include/userver/server/request/request_config.hpp":"taxi/uservices/userver/core/include/userver/server/request/request_config.hpp",
@@ -1900,6 +1901,8 @@
   "core/src/server/middlewares/baggage.hpp":"taxi/uservices/userver/core/src/server/middlewares/baggage.hpp",
   "core/src/server/middlewares/configuration.cpp":"taxi/uservices/userver/core/src/server/middlewares/configuration.cpp",
   "core/src/server/middlewares/configuration.yaml":"taxi/uservices/userver/core/src/server/middlewares/configuration.yaml",
+  "core/src/server/middlewares/cors.cpp":"taxi/uservices/userver/core/src/server/middlewares/cors.cpp",
+  "core/src/server/middlewares/cors.yaml":"taxi/uservices/userver/core/src/server/middlewares/cors.yaml",
   "core/src/server/middlewares/deadline_propagation.cpp":"taxi/uservices/userver/core/src/server/middlewares/deadline_propagation.cpp",
   "core/src/server/middlewares/deadline_propagation.hpp":"taxi/uservices/userver/core/src/server/middlewares/deadline_propagation.hpp",
   "core/src/server/middlewares/decompression.cpp":"taxi/uservices/userver/core/src/server/middlewares/decompression.cpp",
@@ -3944,6 +3947,11 @@
   "samples/config_service/static_config.yaml":"taxi/uservices/userver/samples/config_service/static_config.yaml",
   "samples/config_service/tests/conftest.py":"taxi/uservices/userver/samples/config_service/tests/conftest.py",
   "samples/config_service/tests/test_config.py":"taxi/uservices/userver/samples/config_service/tests/test_config.py",
+  "samples/cors_service/CMakeLists.txt":"taxi/uservices/userver/samples/cors_service/CMakeLists.txt",
+  "samples/cors_service/main.cpp":"taxi/uservices/userver/samples/cors_service/main.cpp",
+  "samples/cors_service/static_config.yaml":"taxi/uservices/userver/samples/cors_service/static_config.yaml",
+  "samples/cors_service/testsuite/conftest.py":"taxi/uservices/userver/samples/cors_service/testsuite/conftest.py",
+  "samples/cors_service/testsuite/test_hello.py":"taxi/uservices/userver/samples/cors_service/testsuite/test_hello.py",
   "samples/digest_auth_service/CMakeLists.txt":"taxi/uservices/userver/samples/digest_auth_service/CMakeLists.txt",
   "samples/digest_auth_service/auth_digest.cpp":"taxi/uservices/userver/samples/digest_auth_service/auth_digest.cpp",
   "samples/digest_auth_service/auth_digest.hpp":"taxi/uservices/userver/samples/digest_auth_service/auth_digest.hpp",
 
@@ -153,6 +153,7 @@ list(APPEND EMBED_FILES
     src/server/handlers/ping.yaml
     src/server/handlers/server_monitor.yaml
     src/server/handlers/tests_control.yaml
+    src/server/middlewares/cors.yaml
     src/server/middlewares/configuration.yaml
     src/server/middlewares/headers_propagator.yaml
     src/server/websocket/websocket_handler.yaml
 
@@ -6,10 +6,15 @@
 #include <string>
 
 #include <fmt/core.h>
+#include <userver/formats/parse/to.hpp>
 #include <userver/utils/fmt_compat.hpp>
 
 USERVER_NAMESPACE_BEGIN
 
+namespace yaml_config {
+class YamlConfig;
+}
+
 namespace server::http {
 
 /// @brief List of HTTP methods
@@ -31,6 +36,8 @@ const std::string& ToString(HttpMethod method) noexcept;
 /// @brief Convert HTTP method string to enum value
 HttpMethod HttpMethodFromString(std::string_view method_str);
 
+HttpMethod Parse(const yaml_config::YamlConfig& value, formats::parse::To<HttpMethod>);
+
 }  // namespace server::http
 
 USERVER_NAMESPACE_END
 
@@ -0,0 +1,123 @@
+#pragma once
+
+/// @file userver/server/middlewares/cors.hpp
+/// @brief CORS (Cross-Origin Resource Sharing) middleware
+
+#include <string>
+#include <vector>
+
+#include <userver/formats/parse/to.hpp>
+#include <userver/http/common_headers.hpp>
+#include <userver/server/http/http_method.hpp>
+#include <userver/server/middlewares/builtin.hpp>
+#include <userver/server/middlewares/http_middleware_base.hpp>
+#include <userver/yaml_config/schema.hpp>
+
+USERVER_NAMESPACE_BEGIN
+
+namespace server::middlewares {
+
+/// @brief CORS (Cross-Origin Resource Sharing) middleware
+///
+/// This middleware handles CORS preflight requests and adds appropriate CORS headers
+/// to responses to allow cross-origin requests from web browsers.
+///
+/// @note The middleware is usually created by @ref server::middlewares::CorsFactory
+class Cors final : public HttpMiddlewareBase {
+public:
+    struct Config {
+        /// Allowed origins. Use "*" to allow all origins (not recommended for production)
+        std::vector<std::string> allowed_origins;
+
+        /// Allowed HTTP methods
+        std::vector<std::string> allowed_methods = {
+            ToString(http::HttpMethod::kGet),
+            ToString(http::HttpMethod::kPost),
+            ToString(http::HttpMethod::kPut),
+            ToString(http::HttpMethod::kPatch),
+            ToString(http::HttpMethod::kDelete),
+            ToString(http::HttpMethod::kHead),
+            ToString(http::HttpMethod::kOptions),
+        };
+
+        /// Allowed headers
+        std::vector<std::string> allowed_headers = {
+            std::string(USERVER_NAMESPACE::http::headers::kAccept),
+            std::string(USERVER_NAMESPACE::http::headers::kAcceptLanguage),
+            std::string(USERVER_NAMESPACE::http::headers::kContentLanguage),
+            std::string(USERVER_NAMESPACE::http::headers::kContentType),
+        };
+
+        /// Headers that can be exposed to the browser
+        std::vector<std::string> exposed_headers;
+
+        /// Whether to allow credentials (cookies, authorization headers)
+        bool allow_credentials{false};
+
+        /// Maximum age for preflight cache
+        std::chrono::seconds max_age{std::chrono::hours(24)};
+    };
+
+    explicit Cors(const Config& config);
+
+private:
+    void HandleRequest(http::HttpRequest& request, request::RequestContext& context) const override;
+
+    bool IsPreflightRequest(const http::HttpRequest& request) const;
+    void HandlePreflightRequest(http::HttpRequest& request) const;
+    void AddCorsHeaders(http::HttpRequest& request, const std::string& origin) const;
+    bool IsOriginAllowed(const std::string& origin) const;
+    const std::string& GetOriginHeader(const http::HttpRequest& request) const;
+
+    const Config config_;
+};
+
+/// @ingroup userver_components
+///
+/// @brief Factory for @ref server::middlewares::Cors
+///
+/// The middleware handles CORS preflight requests and adds appropriate CORS headers
+/// to responses to allow cross-origin requests from web browsers.
+/// For additional information about CORS please see https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS.
+///
+/// ## Static options of `CorsFactory`:
+///
+/// @include{doc} scripts/docs/en/components_schema/core/src/server/middlewares/cors.md
+///
+/// Options inherited from @ref components::RawComponentBase :
+/// @include{doc} scripts/docs/en/components_schema/core/src/components/impl/component_base.md
+///
+/// @see @ref server::middlewares::Cors
+class CorsFactory final : public HttpMiddlewareFactoryBase {
+public:
+    /// @ingroup userver_component_names
+    /// @brief The default name of @ref server::middlewares::CorsFactory component
+    static constexpr std::string_view kName = "cors-middleware";
+
+    CorsFactory(const components::ComponentConfig&, const components::ComponentContext&);
+
+    static yaml_config::Schema GetStaticConfigSchema();
+
+    yaml_config::Schema GetMiddlewareConfigSchema() const override;
+
+private:
+    std::unique_ptr<HttpMiddlewareBase> Create(
+        const handlers::HttpHandlerBase& handler,
+        yaml_config::YamlConfig middleware_config
+    ) const override;
+
+    const yaml_config::YamlConfig global_config_;
+};
+
+/// Parse CORS configuration from YAML
+Cors::Config Parse(const yaml_config::YamlConfig& value, formats::parse::To<Cors::Config>);
+
+}  // namespace server::middlewares
+
+template <>
+inline constexpr bool components::kHasValidate<server::middlewares::CorsFactory> = true;
+
+template <>
+inline constexpr auto components::kConfigFileMode<server::middlewares::CorsFactory> = ConfigFileMode::kRequired;
+
+USERVER_NAMESPACE_END
@@ -1,5 +1,7 @@
 #include <userver/server/http/http_method.hpp>
 
+#include <userver/yaml_config/yaml_config.hpp>
+
 USERVER_NAMESPACE_BEGIN
 
 namespace server::http {
@@ -89,6 +91,11 @@ HttpMethod HttpMethodFromString(std::string_view method_str) {
     return result;
 }
 
+HttpMethod Parse(const yaml_config::YamlConfig& value, formats::parse::To<HttpMethod>)
+{
+    return HttpMethodFromString(value.As<std::string>());
+}
+
 const std::string& ToString(HttpMethod method) noexcept {
     const auto& strings = GetHttpMethodStrings();
 
 
@@ -0,0 +1,188 @@
+#include <userver/server/middlewares/cors.hpp>
+
+#include <algorithm>
+
+#include <userver/components/component_config.hpp>
+#include <userver/components/component_context.hpp>
+#include <userver/formats/common/merge.hpp>
+#include <userver/formats/yaml/serialize.hpp>
+#include <userver/formats/yaml/value_builder.hpp>
+#include <userver/logging/log.hpp>
+#include <userver/server/handlers/exceptions.hpp>
+#include <userver/server/http/http_request.hpp>
+#include <userver/server/http/http_response.hpp>
+#include <userver/server/http/http_status.hpp>
+#include <userver/utils/algo.hpp>
+#include <userver/utils/text_light.hpp>
+#include <userver/yaml_config/merge_schemas.hpp>
+
+#ifndef ARCADIA_ROOT
+#include "generated/src/server/middlewares/cors.yaml.hpp"  // Y_IGNORE
+#endif
+
+USERVER_NAMESPACE_BEGIN
+
+namespace server::middlewares {
+
+namespace {
+
+constexpr std::string_view kAccessControlRequestMethod = "Access-Control-Request-Method";
+constexpr std::string_view kAccessControlAllowMethods = "Access-Control-Allow-Methods";
+constexpr std::string_view kAccessControlAllowHeaders = "Access-Control-Allow-Headers";
+constexpr std::string_view kAccessControlMaxAge = "Access-Control-Max-Age";
+constexpr std::string_view kAccessControlAllowOrigin = "Access-Control-Allow-Origin";
+constexpr std::string_view kAccessControlAllowCredentials = "Access-Control-Allow-Credentials";
+constexpr std::string_view kAccessControlExposeHeaders = "Access-Control-Expose-Headers";
+
+}  // namespace
+
+Cors::Cors(const Config& config)
+    : config_(config)
+{}
+
+void Cors::HandleRequest(http::HttpRequest& request, request::RequestContext& context) const {
+    const auto& origin = GetOriginHeader(request);
+
+    if (IsPreflightRequest(request)) {
+        HandlePreflightRequest(request);
+        return;  // Don't call Next() for preflight requests
+    }
+
+    // For actual requests, add CORS headers and continue processing
+    if (!origin.empty()) {
+        if (IsOriginAllowed(origin)) {
+            AddCorsHeaders(request, origin);
+        } else {
+            // NOLINTNEXTLINE(google-build-using-namespace)
+            using namespace server::handlers;
+            throw ClientError(
+                HandlerErrorCode::kUnauthorized,
+                ServiceErrorCode{"Access forbidden"},
+                InternalMessage{"Origin is forbidden"},
+                ExternalBody{"Bad Origin header"}
+            );
+        }
+    }
+
+    Next(request, context);
+}
+
+bool Cors::IsPreflightRequest(const http::HttpRequest& request) const {
+    return request.GetMethod() == http::HttpMethod::kOptions && request.HasHeader(kAccessControlRequestMethod);
+}
+
+void Cors::HandlePreflightRequest(http::HttpRequest& request) const {
+    const auto& origin = GetOriginHeader(request);
+
+    if (origin.empty() || !IsOriginAllowed(origin)) {
+        request.GetHttpResponse().SetStatus(http::HttpStatus::kForbidden);
+        return;
+    }
+
+    const auto& requested_method = request.GetHeader(kAccessControlRequestMethod);
+    if (requested_method.empty()) {
+        request.GetHttpResponse().SetStatus(http::HttpStatus::kBadRequest);
+        return;
+    }
+
+    if (!utils::Contains(config_.allowed_methods, requested_method)) {
+        request.GetHttpResponse().SetStatus(http::HttpStatus::kMethodNotAllowed);
+        return;
+    }
+
+    // All checks passed, send successful preflight response
+    auto& response = request.GetHttpResponse();
+    response.SetStatus(http::HttpStatus::kNoContent);
+
+    AddCorsHeaders(request, origin);
+
+    // Add preflight-specific headers
+    response.SetHeader(kAccessControlAllowMethods, utils::text::Join(config_.allowed_methods, " ,"));
+
+    if (!config_.allowed_headers.empty()) {
+        response.SetHeader(kAccessControlAllowHeaders, utils::text::Join(config_.allowed_headers, ", "));
+    }
+
+    response.SetHeader(kAccessControlMaxAge, std::to_string(config_.max_age.count()));
+}
+
+void Cors::AddCorsHeaders(http::HttpRequest& request, const std::string& origin) const {
+    auto& response = request.GetHttpResponse();
+
+    // Always set the origin for allowed requests
+    response.SetHeader(kAccessControlAllowOrigin, origin);
+
+    // Set credentials header if allowed
+    if (config_.allow_credentials) {
+        response.SetHeader(kAccessControlAllowCredentials, std::string{"true"});
+    }
+
+    // Set exposed headers if any
+    if (!config_.exposed_headers.empty()) {
+        response.SetHeader(kAccessControlExposeHeaders, utils::text::Join(config_.exposed_headers, ", "));
+    }
+
+    response.SetHeader(USERVER_NAMESPACE::http::headers::kVary, std::string{"Origin"});
+}
+
+bool Cors::IsOriginAllowed(const std::string& origin) const {
+    if (origin.empty()) {
+        return false;
+    }
+
+    // Check if wildcard is allowed
+    if (utils::Contains(config_.allowed_origins, "*")) {
+        return true;
+    }
+
+    LOG_INFO() << config_.allowed_origins;
+    // Check for exact matches
+    return utils::Contains(config_.allowed_origins, origin);
+}
+
+const std::string& Cors::GetOriginHeader(const http::HttpRequest& request) const { return request.GetHeader("Origin"); }
+
+Cors::Config Parse(const yaml_config::YamlConfig& value, formats::parse::To<Cors::Config>) {
+    Cors::Config config;
+
+    config.allowed_origins = value["allowed-origins"].As<std::vector<std::string>>();
+    config.allow_credentials = value["allow-credentials"].As<bool>(config.allow_credentials);
+    config.max_age = std::chrono::seconds(value["max-age-seconds"].As<int>(config.max_age.count()));
+
+    config.allowed_methods = value["allowed-methods"].As<std::vector<std::string>>(config.allowed_methods);
+    std::sort(config.allowed_methods.begin(), config.allowed_methods.end());
+
+    config.allowed_headers = value["allowed-headers"].As<std::vector<std::string>>(config.allowed_headers);
+    config.exposed_headers = value["exposed-headers"].As<std::vector<std::string>>({});
+
+    return config;
+}
+
+CorsFactory::CorsFactory(const components::ComponentConfig& config, const components::ComponentContext& context)
+    : HttpMiddlewareFactoryBase{config, context},
+      global_config_{(const yaml_config::YamlConfig&)config}  // Explicit slicing
+{}
+
+std::unique_ptr<HttpMiddlewareBase> CorsFactory::Create(
+    const handlers::HttpHandlerBase&,
+    yaml_config::YamlConfig middleware_config
+) const {
+    formats::yaml::ValueBuilder builder = global_config_.GetRawYamlWithoutConfigVars();
+    formats::common::Merge(builder, middleware_config.GetRawYamlWithoutConfigVars());
+    yaml_config::YamlConfig config(builder.ExtractValue(), middleware_config.GetRawConfigVars());
+
+    const auto cfg = config.As<Cors::Config>();
+    return std::make_unique<Cors>(cfg);
+}
+
+yaml_config::Schema CorsFactory::GetStaticConfigSchema() {
+    return yaml_config::MergeSchemasFromResource<ComponentBase>("src/server/middlewares/cors.yaml");
+}
+
+yaml_config::Schema CorsFactory::GetMiddlewareConfigSchema() const {
+    return yaml_config::MergeSchemasFromResource<ComponentBase>("src/server/middlewares/cors.yaml");
+}
+
+}  // namespace server::middlewares
+
+USERVER_NAMESPACE_END