Add CORS configuration for autocomplete API #3571
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kevindew
force-pushed
the
cors-autocomplete
branch
from
71b33b5 to
bef01a6
Compare
kevindew
force-pushed
the
cors-autocomplete
branch
from
bef01a6 to
5b55c75
Compare
jackbot
reviewed
Dec 12, 2024
config/initializers/cors.rb
Outdated
| Rails.application.config.middleware.insert_before 0, Rack::Cors do | ||
| # Allow the autocomplete API to be accessed from any GOV.UK domain, including non-production ones. | ||
| # This allows autocomplete to be available on CSV previews, which are hosted on | ||
| # assets.publishing.service.gov.uk. This allows allows for local development usage. |
There was a problem hiding this comment.
Little typo here with two "allows".
jackbot
reviewed
Dec 12, 2024
| end | ||
| end | ||
|
|
||
| it "returns CORS headers when there is a format extension on the path" do |
There was a problem hiding this comment.
The spec description says "a format extension on the path" but I'm not seeing one in the action get request, am I missing something here?
Allow the autocomplete API to be accessed from any GOV.UK domain, including non-production ones. This lets us use the API in local development "live" stacks as well as the GOV.UK Publishing Components guide.
This fixes a couple of bugs in the previous implementation of this. Using GovukContentSecurityPolicy::GOVUK_DOMAINS didn't work because it makes use of wildcard origins, which aren't supported by rack-cors. I chose to put together a simple regex as an alternative. It also had an incorrect path for the resource - I had a wildcard asterisk so it can handle with and without format as the Rails path is without a format, yet in our apps we've configured a .json format [1]. Since the original was written it was also discovered that this configuration would be needed for more than just development environments and would actually be needed in production. The situation where this is needed is CSV previews [2] which are GOV.UK pages with the layout_super_navigation_header component hosted on the assets.publishing.service.gov.uk. In order to demonstrate CORS taking effect requests need to be provided with an origin header e.g: ``` ➜ ~ curl -Is -H "Origin: https://www.gov.uk" \ http://127.0.0.1:3062/api/search/autocomplete.json\?q\=test | grep access-control access-control-allow-origin: https://www.gov.uk access-control-allow-methods: GET access-control-expose-headers: access-control-max-age: 7200 ``` An absence of any access-control-* headers indicates a CORS fail and in a browser a request will be blocked e.g: ``` ➜ ~ curl -Is -H "Origin: https://example.com" \ http://127.0.0.1:3062/api/search/autocomplete.json\?q\=test | grep access-control ``` I've wrote request specs that demonstrate these behaviours. [1]: https://github.com/alphagov/govuk_publishing_components/blob/171e814b327bcfa0f2437fff0514ff086e31c96b/app/views/govuk_publishing_components/components/_layout_super_navigation_header.html.erb#L334 [2]: https://assets.publishing.service.gov.uk/media/663ca4da8603389a07a6d2f8/Malpractice_in_VTQ_-_Example_CSV_File.csv/preview
kevindew
force-pushed
the
cors-autocomplete
branch
from
5b55c75 to
cf3002f
Compare
jackbot
approved these changes
Dec 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update from @kevindew
Since the original was written it was also discovered that this
configuration would be needed for more than just development
environments and would actually be needed in production. The situation
where this is needed is CSV previews 2 which are GOV.UK pages with the
layout_super_navigation_header component hosted on the
assets.publishing.service.gov.uk.
In order to demonstrate CORS taking effect requests need to be provided
with an origin header e.g:
An absence of any access-control-* headers indicates a CORS fail and in
a browser a request will be blocked e.g:
---
Allow the autocomplete API to be accessed from any GOV.UK domain, including non-production ones. This lets us use the API in local development "live" stacks as well as the GOV.UK Publishing Components guide.