From 16d88402cbeb51d376d14c9d32e2bc00d00e4cb2 Mon Sep 17 00:00:00 2001
From: vpl <vpl@vpl.me>
Date: Sun, 1 Sep 2019 13:00:12 +0200
Subject: [PATCH 1/2] Initial version of CORS support

---
 src/main.rs |  3 ++-
 src/util.rs | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/src/main.rs b/src/main.rs
index ffd28564..081997dc 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -250,7 +250,8 @@ fn launch_rocket() {
     let rocket = rocket
         .manage(db::init_pool())
         .manage(api::start_notification_server())
-        .attach(util::AppHeaders());
+        .attach(util::AppHeaders())
+        .attach(util::CORS());
 
     // Launch and print error if there is one
     // The launch will restore the original logging level
diff --git a/src/util.rs b/src/util.rs
index c9815f15..6792fdc5 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -4,6 +4,8 @@
 use rocket::fairing::{Fairing, Info, Kind};
 use rocket::response::{self, Responder};
 use rocket::{Request, Response};
+use rocket::http::{Header, ContentType, Method};
+use std::io::Cursor;
 
 pub struct AppHeaders();
 
@@ -31,6 +33,39 @@ impl Fairing for AppHeaders {
     }
 }
 
+
+pub struct CORS();
+
+impl Fairing for CORS {
+    fn info(&self) -> Info {
+        Info {
+            name: "Add CORS headers to requests",
+            kind: Kind::Response
+        }
+    }
+
+    fn on_response(&self, request: &Request, response: &mut Response) {
+        // We need to explictly get the Origin header for Access-Control-Allow-Origin
+        let origin = match request.headers().get_one("Origin") {
+            Some(h) => h.to_string(),
+            _ => "".to_string(),
+        };
+
+        if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
+            // Requests with credentials need explicit values since they do not allow wildcards.
+            response.set_header(Header::new("Access-Control-Allow-Origin", origin));
+            response.set_header(Header::new("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH"));
+            response.set_header(Header::new("Access-Control-Allow-Headers", "*, Authorization"));
+            response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
+        }
+
+        if request.method() == Method::Options {
+            response.set_header(ContentType::Plain);
+            response.set_sized_body(Cursor::new(""));
+        }
+    }
+}
+
 pub struct Cached<R>(R, &'static str);
 
 impl<R> Cached<R> {

From 5a2f968d7a868fcfed2c67055ada88dd7a8db06b Mon Sep 17 00:00:00 2001
From: vpl <vpl@vpl.me>
Date: Mon, 2 Sep 2019 21:13:12 +0200
Subject: [PATCH 2/2] Set correct response headers, status code

---
 src/util.rs | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/src/util.rs b/src/util.rs
index 6792fdc5..a3548fcb 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -4,7 +4,7 @@
 use rocket::fairing::{Fairing, Info, Kind};
 use rocket::response::{self, Responder};
 use rocket::{Request, Response};
-use rocket::http::{Header, ContentType, Method};
+use rocket::http::{Header, HeaderMap, ContentType, Method, Status};
 use std::io::Cursor;
 
 pub struct AppHeaders();
@@ -33,9 +33,17 @@ impl Fairing for AppHeaders {
     }
 }
 
-
 pub struct CORS();
 
+impl CORS {
+    fn get_header(headers: &HeaderMap, name: &str) -> String {
+        match headers.get_one(name) {
+            Some(h) => h.to_string(),
+            _ => "".to_string(),
+        }
+    }
+}
+
 impl Fairing for CORS {
     fn info(&self) -> Info {
         Info {
@@ -45,21 +53,25 @@ impl Fairing for CORS {
     }
 
     fn on_response(&self, request: &Request, response: &mut Response) {
-        // We need to explictly get the Origin header for Access-Control-Allow-Origin
-        let origin = match request.headers().get_one("Origin") {
-            Some(h) => h.to_string(),
-            _ => "".to_string(),
-        };
+        let req_headers = request.headers();
+
+        // We need to explicitly get the Origin header for Access-Control-Allow-Origin
+        let req_allow_origin = CORS::get_header(&req_headers, "Origin");
+
+        let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
+
+        let req_allow_methods =CORS::get_header(&req_headers,"Access-Control-Request-Methods");
 
         if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
             // Requests with credentials need explicit values since they do not allow wildcards.
-            response.set_header(Header::new("Access-Control-Allow-Origin", origin));
-            response.set_header(Header::new("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH"));
-            response.set_header(Header::new("Access-Control-Allow-Headers", "*, Authorization"));
+            response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
+            response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_methods));
+            response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
             response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
         }
 
         if request.method() == Method::Options {
+            response.set_status(Status::Ok);
             response.set_header(ContentType::Plain);
             response.set_sized_body(Cursor::new(""));
         }