feat(primer-service): Add a naïve CORS policy.

dhess · dhess · commit c54d0027c9f0 · 2022-07-22T09:05:07.000-04:00
Notes: * This policy was created using the following references: https://stackoverflow.com/questions/63876281/cors-problem-while-making-a-fetch-call-from-ui-app-to-servant-server https://stackoverflow.com/questions/41399055/haskell-yesod-cors-problems-with-browsers-options-requests-when-doing-post-req/56256513#56256513 larskuhtz/wai-cors#29 (comment) We've also added `PUT` to the list of CORS methods recommended in the last reference, as our API uses it. * This policy does not specify any origins, which means its origins are equivalent to "*". Therefore, this policy will not work with credentialed requests. This is fine for now. * This policy does not specify an `Access-Control-Max-Age` (via wai-cors's `corsMaxAge` field), and therefore responses to browser preflight requests will only be cached for 5 seconds. This is helpful for testing, but is obviously not ideal for production use, so this will need to be addressed if we decide to use CORS in production.
diff --git a/primer-service/primer-service.cabal b/primer-service/primer-service.cabal
@@ -53,6 +53,7 @@ library
     , uuid               ^>=1.3
     , wai                ^>=3.2
     , wai-app-static     ^>=3.1
+    , wai-cors           ^>=0.2.7
     , warp               ^>=3.3
 
 executable primer-service
diff --git a/primer-service/src/Primer/Server.hs b/primer-service/src/Primer/Server.hs
@@ -1,4 +1,5 @@
 {-# LANGUAGE GADTs #-}
+{-# LANGUAGE ImportQualifiedPost #-}
 {-# LANGUAGE OverloadedLabels #-}
 
 -- | An HTTP service for the Primer API.
@@ -24,6 +25,15 @@ import Network.Wai.Handler.Warp (
   setPort,
  )
 import Network.Wai.Handler.Warp qualified as Warp (runSettings)
+import Network.Wai.Middleware.Cors (
+  CorsResourcePolicy(..),
+  cors,
+  corsMethods,
+  corsRequestHeaders,
+  simpleCorsResourcePolicy,
+  simpleHeaders,
+  simpleMethods,
+ )
 import Optics ((%), (.~), (?~))
 import Primer.API (
   Env (..),
@@ -410,10 +420,21 @@ primerServer = openAPIServer :<|> legacyServer
 server :: Env -> Server API
 server e = pure openAPIInfo :<|> hoistPrimer e
 
+-- | CORS settings for the Primer API. Note that this policy will not
+-- work with credentialed requests because the origin is implicitly
+-- "*". See:
+-- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#credentialed_requests_and_wildcards
+apiCors :: CorsResourcePolicy
+apiCors =
+  simpleCorsResourcePolicy
+    { corsMethods = simpleMethods <> ["PUT", "OPTIONS"]
+    , corsRequestHeaders = simpleHeaders <> ["Content-Type", "Authorization"]
+    }
+
 serve :: Sessions -> TBQueue Database.Op -> Version -> Int -> IO ()
 serve ss q v port = do
   putText $ "Listening on port " <> show port
-  Warp.runSettings warpSettings $ noCache $ Servant.serve api $ server $ Env ss q v
+  Warp.runSettings warpSettings $ noCache $ cors (const $ Just apiCors) $ Servant.serve api $ server $ Env ss q v
   where
     -- By default Warp will try to bind on either IPv4 or IPv6, whichever is
     -- available.
