Class: Rage::Cors

Inherits:

Object

• Object
• Rage::Cors

Defined in:

lib/rage/middleware/cors.rb

Instance Method Summary

• #allow(*origins, methods: "*", allow_headers: "*", expose_headers: nil, max_age: nil, allow_credentials: false) ⇒ Object

  Set CORS rules for the application.

Instance Method Details

#allow(*origins, methods: "*", allow_headers: "*", expose_headers: nil, max_age: nil, allow_credentials: false) ⇒ Object

Note:

The middleware only supports the basic case of allowing one or several origins for the whole application. Use Rack::Cors if you are looking to specify more advanced rules.

Set CORS rules for the application.

Examples:

config.middleware.use Rage::Cors do
  allow "localhost:5173", "myhost.com"
end

config.middleware.use Rage::Cors do
  allow "*",
    methods: [:get, :post, :put],
    allow_headers: ["x-domain-token"],
    expose: ["Some-Custom-Response-Header"],
    max_age: 600
end

Parameters:

• origins (String, Regexp, "*") —

  origins allowed to access the application

• methods (Array<Symbol>, "*") (defaults to: "*") —

  allowed methods when accessing the application

• allow_headers (Array<String>, "*") (defaults to: "*") —

  indicate which HTTP headers can be used when making the actual request

• expose_headers (Array<String>, "*") (defaults to: nil) —

  adds the specified headers to the allowlist that JavaScript in browsers is allowed to access

• max_age (Integer) (defaults to: nil) —

  indicate how long the results of a preflight request can be cached

• allow_credentials (Boolean) (defaults to: false) —

  indicate whether or not the response to the request can be exposed when the credentials flag is true

# File 'lib/rage/middleware/cors.rb', line 57

def allow(*origins, methods: "*", allow_headers: "*", expose_headers: nil, max_age: nil, allow_credentials: false)
  @allow_headers = Array(allow_headers).join(", ") if allow_headers
  @expose_headers = Array(expose_headers).join(", ") if expose_headers
  @max_age = max_age.to_s if max_age
  @allow_credentials = "true" if allow_credentials

  @default_methods = %w(GET POST PUT PATCH DELETE HEAD OPTIONS)
  @methods = if methods != "*"
    methods.map! { |method| method.to_s.upcase }.tap { |m|
      if (invalid_methods = m - @default_methods).any?
        raise "Unsupported method passed to Rage::Cors: #{invalid_methods[0]}"
      end
    }.join(", ")
  elsif @allow_credentials
    @default_methods.join(", ")
  else
    "*"
  end

  if @allow_credentials
    raise "Rage::Cors requires you to explicitly list allowed headers when using `allow_credentials: true`" if @allow_headers == "*"
    raise "Rage::Cors requires you to explicitly list exposed headers when using `allow_credentials: true`" if @expose_headers == "*"
  end

  @origins = []
  origins.each do |origin|
    if origin == "*"
      @origins = "*"
      break
    elsif origin.is_a?(Regexp) || origin =~ /^\S+:\/\//
      @origins << origin
    else
      @origins << "https://#{origin}" << "http://#{origin}"
    end
  end

  @cors_check = create_cors_proc
  @cors_response = [204, create_headers, []]
end