graphql-engine/server/src-lib/Hasura/Server/Middleware.hs

module Hasura.Server.Middleware
  ( corsMiddleware,
  )
where

import Control.Applicative
import Data.ByteString qualified as B
import Data.CaseInsensitive qualified as CI
import Data.Text.Encoding qualified as TE
import Hasura.Prelude
import Hasura.Server.Cors
import Hasura.Server.Utils
import Network.HTTP.Types qualified as HTTP
import Network.Wai

corsMiddleware :: IO CorsPolicy -> Middleware
corsMiddleware getPolicy app req sendResp = do
  let origin = getRequestHeader "Origin" $ requestHeaders req
  policy <- getPolicy
  maybe (app req sendResp) (handleCors policy) origin
  where
    handleCors policy origin = case cpConfig policy of
      CCDisabled _ -> app req sendResp
      CCAllowAll -> sendCors origin policy
      CCAllowedOrigins ds
        -- if the origin is in our cors domains, send cors headers
        | bsToTxt origin `elem` dmFqdns ds -> sendCors origin policy
        -- if current origin is part of wildcard domain list, send cors
        | inWildcardList ds (bsToTxt origin) -> sendCors origin policy
        -- otherwise don't send cors headers
        | otherwise -> app req sendResp

    sendCors :: B.ByteString -> CorsPolicy -> IO ResponseReceived
    sendCors origin policy =
      case requestMethod req of
        "OPTIONS" -> sendResp $ respondPreFlight origin policy
        _ -> app req $ sendResp . injectCorsHeaders origin policy

    respondPreFlight :: B.ByteString -> CorsPolicy -> Response
    respondPreFlight origin policy =
      setHeaders (mkPreFlightHeaders requestedHeaders) $
        injectCorsHeaders origin policy emptyResponse

    emptyResponse = responseLBS HTTP.status204 [] ""
    requestedHeaders =
      fromMaybe "" $
        getRequestHeader "Access-Control-Request-Headers" $
          requestHeaders req

    injectCorsHeaders :: B.ByteString -> CorsPolicy -> Response -> Response
    injectCorsHeaders origin policy = setHeaders (mkCorsHeaders origin policy)

    mkPreFlightHeaders allowReqHdrs =
      [ ("Access-Control-Max-Age", "1728000"),
        ("Access-Control-Allow-Headers", allowReqHdrs),
        ("Content-Length", "0"),
        ("Content-Type", "text/plain charset=UTF-8")
      ]

    mkCorsHeaders origin policy =
      [ ("Access-Control-Allow-Origin", origin),
        ("Access-Control-Allow-Credentials", "true"),
        ( "Access-Control-Allow-Methods",
          B.intercalate "," $ TE.encodeUtf8 <$> cpMethods policy
        ),
        -- console requires this header to access the cache headers as HGE and console
        -- are hosted on different domains in production
        ( "Access-Control-Expose-Headers",
          B.intercalate "," $ TE.encodeUtf8 <$> cacheExposedHeaders
        )
      ]

    cacheExposedHeaders = ["X-Hasura-Query-Cache-Key", "X-Hasura-Query-Family-Cache-Key", "Warning"]
    setHeaders hdrs = mapResponseHeaders (\h -> mkRespHdrs hdrs ++ h)
    mkRespHdrs = map (\(k, v) -> (CI.mk k, v))
server: add explicit export lists in OSS server and enforce with warning We'll see if this improves compile times at all, but I think it's worth doing as at least the most minimal form of module documentation. This was accomplished by first compiling everything with -ddump-minimal-imports, and then a bunch of scripting (with help from ormolu) EDIT it doesn't seem to improve CI compile times but the noise floor is high as it looks like we're not caching library dependencies anymore PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2730 GitOrigin-RevId: 667eb8de1e0f1af70420cbec90402922b8b84cb4 2021-11-04 19:08:33 +03:00			`module Hasura.Server.Middleware`
			`( corsMiddleware,`
			`)`
			`where`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`import Control.Applicative`
breaking: server logging changes (close #507, close #2171) (#1835) 2019-07-11 08:37:06 +03:00			`import Data.ByteString qualified as B`
			`import Data.CaseInsensitive qualified as CI`
			`import Data.Text.Encoding qualified as TE`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`import Hasura.Prelude`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`import Hasura.Server.Cors`
			`import Hasura.Server.Utils`
server: assorted minor clean-up around HTTP managers - consistent qualified imports - less convoluted initialization of pro logging HTTP manager - pass pro HTTP manager directly instead of via Has - remove some dead healthcheck code PR-URL: https://github.com/hasura/graphql-engine-mono/pull/3639 GitOrigin-RevId: dfa7b9c62d1842a07a8514cdb77f1ed86064fb06 2022-02-16 10:08:51 +03:00			`import Network.HTTP.Types qualified as HTTP`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`import Network.Wai`

server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`corsMiddleware :: IO CorsPolicy -> Middleware`
			`corsMiddleware getPolicy app req sendResp = do`
breaking: server logging changes (close #507, close #2171) (#1835) 2019-07-11 08:37:06 +03:00			`let origin = getRequestHeader "Origin" $ requestHeaders req`
server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`policy <- getPolicy`
			`maybe (app req sendResp) (handleCors policy) origin`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`where`
server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`handleCors policy origin = case cpConfig policy of`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			`CCDisabled _ -> app req sendResp`
server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`CCAllowAll -> sendCors origin policy`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`CCAllowedOrigins ds`
			`-- if the origin is in our cors domains, send cors headers`
server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			\| bsToTxt origin `elem` dmFqdns ds -> sendCors origin policy
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`-- if current origin is part of wildcard domain list, send cors`
server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`\| inWildcardList ds (bsToTxt origin) -> sendCors origin policy`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`-- otherwise don't send cors headers`
			`\| otherwise -> app req sendResp`

server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`sendCors :: B.ByteString -> CorsPolicy -> IO ResponseReceived`
			`sendCors origin policy =`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`case requestMethod req of`
server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`"OPTIONS" -> sendResp $ respondPreFlight origin policy`
			`_ -> app req $ sendResp . injectCorsHeaders origin policy`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00
server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`respondPreFlight :: B.ByteString -> CorsPolicy -> Response`
			`respondPreFlight origin policy =`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`setHeaders (mkPreFlightHeaders requestedHeaders) $`
server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`injectCorsHeaders origin policy emptyResponse`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00
server: assorted minor clean-up around HTTP managers - consistent qualified imports - less convoluted initialization of pro logging HTTP manager - pass pro HTTP manager directly instead of via Has - remove some dead healthcheck code PR-URL: https://github.com/hasura/graphql-engine-mono/pull/3639 GitOrigin-RevId: dfa7b9c62d1842a07a8514cdb77f1ed86064fb06 2022-02-16 10:08:51 +03:00			`emptyResponse = responseLBS HTTP.status204 [] ""`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`requestedHeaders =`
breaking: server logging changes (close #507, close #2171) (#1835) 2019-07-11 08:37:06 +03:00			`fromMaybe "" $`
			`getRequestHeader "Access-Control-Request-Headers" $`
			`requestHeaders req`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00
server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`injectCorsHeaders :: B.ByteString -> CorsPolicy -> Response -> Response`
			`injectCorsHeaders origin policy = setHeaders (mkCorsHeaders origin policy)`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00
			`mkPreFlightHeaders allowReqHdrs =`
			`[ ("Access-Control-Max-Age", "1728000"),`
			`("Access-Control-Allow-Headers", allowReqHdrs),`
			`("Content-Length", "0"),`
			`("Content-Type", "text/plain charset=UTF-8")`
			`]`

server: rename `SchemaCacheRef` to `AppStateRef` and add `AppContext` to it PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8159 Co-authored-by: Naveen Naidu <30195193+Naveenaidu@users.noreply.github.com> Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> GitOrigin-RevId: a57f6dc8b3e992d86490e5c51508827f00151dfe 2023-03-17 13:29:07 +03:00			`mkCorsHeaders origin policy =`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`[ ("Access-Control-Allow-Origin", origin),`
			`("Access-Control-Allow-Credentials", "true"),`
			`( "Access-Control-Allow-Methods",`
			`B.intercalate "," $ TE.encodeUtf8 <$> cpMethods policy`
server: remove cache specific headers when response is not cached PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8637 Co-authored-by: Daniele Cammareri <5709409+dancamma@users.noreply.github.com> GitOrigin-RevId: 0af8adbb638394fb65926165b09ff237d060ce85 2023-04-16 22:31:59 +03:00			`),`
			`-- console requires this header to access the cache headers as HGE and console`
			`-- are hosted on different domains in production`
			`( "Access-Control-Expose-Headers",`
			`B.intercalate "," $ TE.encodeUtf8 <$> cacheExposedHeaders`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`)`
			`]`

server: remove cache specific headers when response is not cached PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8637 Co-authored-by: Daniele Cammareri <5709409+dancamma@users.noreply.github.com> GitOrigin-RevId: 0af8adbb638394fb65926165b09ff237d060ce85 2023-04-16 22:31:59 +03:00			`cacheExposedHeaders = ["X-Hasura-Query-Cache-Key", "X-Hasura-Query-Family-Cache-Key", "Warning"]`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`setHeaders hdrs = mapResponseHeaders (\h -> mkRespHdrs hdrs ++ h)`
			`mkRespHdrs = map (\(k, v) -> (CI.mk k, v))`