Page MenuHomePhabricator

[identity] pull out CORS logic
ClosedPublic

Authored by varun on Nov 1 2023, 4:46 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 4, 4:52 PM
Unknown Object (File)
Sun, Dec 22, 9:50 PM
Unknown Object (File)
Sat, Dec 21, 11:49 AM
Unknown Object (File)
Mon, Dec 16, 4:36 PM
Unknown Object (File)
Mon, Dec 16, 4:15 PM
Unknown Object (File)
Mon, Dec 16, 4:15 PM
Unknown Object (File)
Mon, Dec 16, 4:15 PM
Unknown Object (File)
Mon, Dec 16, 4:15 PM
Subscribers

Details

Summary

tonic_web::enable() is convenient but doesn't let us set a custom CORS configuration. as a result, the server currently rejects request headers "code_version" and "device_type" from web. therefore, i'm modifying our Server builder to take a cors layer and a GrcpWebLayer. it's slightly more verbose, but we need this to send request metadata over grpc-web.

Test Plan

confirmed the metadata could be parsed when i sent a GenerateNonce request to my local identity service from web

Diff Detail

Repository
rCOMM Comm
Branch
grpc-web (branched from master)
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

varun requested review of this revision.Nov 1 2023, 5:04 PM

add more allowed headers for auth interceptor

added a couple new crates, so requesting review from @ashoat

services/identity/src/constants.rs
162–168 ↗(On Diff #32604)

these are the defaults from tonic-web

New dependencies look good. Rust code looks simple, but will leave it for somebody else to review

@michal would you mind taking a look since bartek is out the rest of the week?

Nice to see the magic string constants removed!

services/identity/src/constants.rs
153–157 ↗(On Diff #32604)

I find it a bit cleaner to use hierarchy for cases like this but it's fine either way.

services/identity/src/cors.rs
9 ↗(On Diff #32604)

Is allow_methods not needed?

10 ↗(On Diff #32604)

In other web services (services/comm-services-lib/src/http.rs::cors_config) we currently set:

  • all origins in sandbox
  • web.comm.app and localhost (for local testing) for production

We might want to do that here too (at least the production setup).

16 ↗(On Diff #32604)

Why are these cloned() needed?

varun marked an inline comment as done.

address @michal's feedback

services/identity/src/cors.rs
9 ↗(On Diff #32604)

i think simple methods are allowed by default. that's why requests succeeded in testing. also i took the CorsLayer from here

16 ↗(On Diff #32604)

The cloned() method takes each &&'static str yielded by the original iterator (the one created with iter()) and clones the &'static str, effectively turning the iterator into one that yields &'static str.

This revision is now accepted and ready to land.Nov 6 2023, 1:25 AM
This revision was automatically updated to reflect the committed changes.