[1.x] Add support for wildcard allowed origins #233
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This looks great, thank you 🙌 |
joedixon
approved these changes
Jul 30, 2024
|
@joedixon Thanks 👍 Does this need documenting as well? |
|
Yeah, it would be good to update the docs once this is merged and tagged. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
At present the allowed origins option does not allow for wildcard origins other than
['*']. As such, if you want to support a set of subdomains as well as the primary domain, you have to list out each one individually into thereverb.phpconfig file, e.g.,:This is all fair and well if the subdomains are well defined, but if you either have a lot of them or your application allows the users to define a subdomain e.g., in the context of a multi-tenant setup, then you may not be able to define these easily.
However, the only wildcard support available is the
['*']option, but this opens it to all origins, which may not be desired.This pull request would provide support for wildcard origins to be specified in the config, allowing users to set what origins are allowed, with some more flexibility e.g.:
With this config, reverb would allow an origin at the root domain level and any subdomain of the root domain.
The underlying change follows a similar pattern/implementation as the CORS middleware, i.e.,
Str::is()The tests have been extended to include additional checks when wildcard origins are used. I had to extend the
FakeConnection::classto allow for an origin to be defined besides localhost. I've added this as a 2nd parameter and in the extended tests used the name parameter.N.B., the test 'accepts a connection from an valid origin' has an incorrect config set path for allowed origins, it just happens that the default (
['*']) allows everything and as such the test passes.