Only set 'Access-Control-Allow-Credentials' if required for preflight to succeed

andreasf · andreasf · commit 4ede7389dce7 · 2018-09-28T10:21:20.000+02:00
diff --git a/lib/pact/mock_service/request_handlers/options.rb b/lib/pact/mock_service/request_handlers/options.rb
@@ -13,6 +13,8 @@ class Options < BaseRequestHandler
         ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin".freeze
         ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods".freeze
         ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers".freeze
+        AUTHORIZATION = "authorization".freeze
+        COOKIE = "cookie".freeze
         HTTP_ORIGIN = "HTTP_ORIGIN".freeze
         ALL_METHODS = "DELETE, POST, GET, HEAD, PUT, TRACE, CONNECT, PATCH".freeze
         REQUEST_METHOD = "REQUEST_METHOD".freeze
@@ -31,12 +33,15 @@ def match? env
 
         def respond env
           cors_headers = {
-            ACCESS_CONTROL_ALLOW_CREDENTIALS => 'true',
             ACCESS_CONTROL_ALLOW_ORIGIN => env.fetch(HTTP_ORIGIN,'*'),
             ACCESS_CONTROL_ALLOW_HEADERS => env.fetch(HTTP_ACCESS_CONTROL_REQUEST_HEADERS, '*'),
             ACCESS_CONTROL_ALLOW_METHODS => ALL_METHODS
           }
 
+          if is_request_with_credentials?(env)
+            cors_headers[ACCESS_CONTROL_ALLOW_CREDENTIALS] = "true"
+          end
+
           logger.info "Received OPTIONS request for mock service administration endpoint #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]} #{env['PATH_INFO']}. Returning CORS headers: #{cors_headers}."
           [200, cors_headers, []]
         end
@@ -48,6 +53,11 @@ def is_options_request? env
         def is_administration_request? env
           (env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS] || '').match(X_PACT_MOCK_SERVICE_REGEXP)
         end
+
+        def is_request_with_credentials? env
+          headers = (env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS] || '').split(",").map { |header| header.strip.downcase }
+          headers.include?(AUTHORIZATION) || headers.include?(COOKIE)
+        end
       end
     end
   end
diff --git a/spec/lib/pact/mock_service/request_handlers/options_spec.rb b/spec/lib/pact/mock_service/request_handlers/options_spec.rb
@@ -23,7 +23,7 @@ module RequestHandlers
             subject { response[1] }
 
             it { is_expected.to include 'Access-Control-Allow-Methods' => 'DELETE, POST, GET, HEAD, PUT, TRACE, CONNECT, PATCH' }
-            it { is_expected.to include 'Access-Control-Allow-Credentials' => 'true' }
+            it { is_expected.to_not include 'Access-Control-Allow-Credentials' => 'true' }
 
             context "with Origin" do
               it { is_expected.to include 'Access-Control-Allow-Origin' => 'foo.com' }
@@ -48,6 +48,22 @@ module RequestHandlers
 
               it { is_expected.to include 'Access-Control-Allow-Headers' => '*' }
             end
+
+            context "with 'Authorization' in Access-Control-Request-Headers" do
+              before do
+                env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] = 'foo, Authorization, bar'
+              end
+
+              it { is_expected.to include 'Access-Control-Allow-Credentials' => 'true' }
+            end
+
+            context "with 'Cookie' in Access-Control-Request-Headers" do
+              before do
+                env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] = 'foo, Cookie, bar'
+              end
+
+              it { is_expected.to include 'Access-Control-Allow-Credentials' => 'true' }
+            end
           end
         end
       end
