Make Cors filters run before any other authorization filters

2015-11-06 09:45:58 -08:00 · 2015-11-06 09:45:58 -08:00 · 85080ae621
parent 982c7abea8
commit 85080ae621
7 changed files with 183 additions and 3 deletions
--- a/src/Microsoft.AspNet.Mvc.Cors/CorsAuthorizationFilter.cs
+++ b/src/Microsoft.AspNet.Mvc.Cors/CorsAuthorizationFilter.cs
@ -41,7 +41,9 @@ namespace Microsoft.AspNet.Mvc.Cors
        {
            get
            {
-                return int.MaxValue - 100;
+                // Since clients' preflight requests would not have data to authenticate requests, this
+                // filter must run before any other authorization filters.
+                return int.MinValue + 100;
            }
        }

--- a/src/Microsoft.AspNet.Mvc.Cors/CorsAuthorizationFilterFactory.cs
+++ b/src/Microsoft.AspNet.Mvc.Cors/CorsAuthorizationFilterFactory.cs
@ -28,7 +28,9 @@ namespace Microsoft.AspNet.Mvc.Cors
        {
            get
            {
-                return int.MaxValue - 100;
+                // Since clients' preflight requests would not have data to authenticate requests, this
+                // filter must run before any other authorization filters.
+                return int.MinValue + 100;
            }
        }

--- a/src/Microsoft.AspNet.Mvc.Cors/DisableCorsAuthorizationFilter.cs
+++ b/src/Microsoft.AspNet.Mvc.Cors/DisableCorsAuthorizationFilter.cs
@ -20,7 +20,9 @@ namespace Microsoft.AspNet.Mvc.Cors
        {
            get
            {
-                return int.MaxValue - 100;
+                // Since clients' preflight requests would not have data to authenticate requests, this
+                // filter must run before any other authorization filters.
+                return int.MinValue + 100;
            }
        }

--- a/test/Microsoft.AspNet.Mvc.FunctionalTests/CorsTests.cs
+++ b/test/Microsoft.AspNet.Mvc.FunctionalTests/CorsTests.cs
@ -215,5 +215,91 @@ namespace Microsoft.AspNet.Mvc.FunctionalTests
            var content = await response.Content.ReadAsStringAsync();
            Assert.Empty(content);
        }
+
+        [Theory]
+        [InlineData("http://localhost/api/store/actionusingcontrollercorssettings")]
+        [InlineData("http://localhost/api/store/actionwithcorssettings")]
+        public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters(string url)
+        {
+            // Arrange
+            var request = new HttpRequestMessage(new HttpMethod(CorsConstants.PreflightHttpMethod), url);
+
+            // Adding a custom header makes it a non-simple request.
+            request.Headers.Add(CorsConstants.Origin, "http://example.com");
+            request.Headers.Add(CorsConstants.AccessControlRequestMethod, "GET");
+            request.Headers.Add(CorsConstants.AccessControlRequestHeaders, "Custom");
+
+            // Act
+            var response = await Client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            var responseHeaders = response.Headers;
+            Assert.Equal(
+                new[] { "http://example.com" },
+                responseHeaders.GetValues(CorsConstants.AccessControlAllowOrigin).ToArray());
+            Assert.Equal(
+               new[] { "true" },
+               responseHeaders.GetValues(CorsConstants.AccessControlAllowCredentials).ToArray());
+            Assert.Equal(
+               new[] { "Custom" },
+               responseHeaders.GetValues(CorsConstants.AccessControlAllowHeaders).ToArray());
+
+            var content = await response.Content.ReadAsStringAsync();
+            Assert.Empty(content);
+        }
+
+        [Fact]
+        public async Task DisableCorsFilter_RunsBeforeOtherAuthorizationFilters()
+        {
+            // Controller has an authorization filter and Cors filter and the action has a DisableCors filter
+            // In this scenario, the CorsFilter should be executed before any other authorization filters
+            // i.e irrespective of where the Cors filter is applied(controller or action), Cors filters must
+            // always be executed before any other type of authorization filters.
+
+            // Arrange
+            var request = new HttpRequestMessage(
+                new HttpMethod(CorsConstants.PreflightHttpMethod),
+                "http://localhost/api/store/actionwithcorsdisabled");
+
+            // Adding a custom header makes it a non-simple request.
+            request.Headers.Add(CorsConstants.Origin, "http://example.com");
+            request.Headers.Add(CorsConstants.AccessControlRequestMethod, "GET");
+            request.Headers.Add(CorsConstants.AccessControlRequestHeaders, "Custom");
+
+            // Act
+            var response = await Client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            Assert.Empty(response.Headers);
+
+            // Nothing gets executed for a pre-flight request.
+            var content = await response.Content.ReadAsStringAsync();
+            Assert.Empty(content);
+        }
+
+        [Fact]
+        public async Task CorsFilter_OnAction_PreferredOverController_AndAuthorizationFiltersRunAfterCors()
+        {
+            // Arrange
+            var request = new HttpRequestMessage(
+                new HttpMethod(CorsConstants.PreflightHttpMethod),
+                "http://localhost/api/store/actionwithdifferentcorspolicy");
+            request.Headers.Add(CorsConstants.Origin, "http://notexpecteddomain.com");
+            request.Headers.Add(CorsConstants.AccessControlRequestMethod, "GET");
+            request.Headers.Add(CorsConstants.AccessControlRequestHeaders, "Custom");
+
+            // Act
+            var response = await Client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            Assert.Empty(response.Headers);
+
+            // Nothing gets executed for a pre-flight request.
+            var content = await response.Content.ReadAsStringAsync();
+            Assert.Empty(content);
+        }
    }
 }
--- a/test/WebSites/CorsWebSite/Controllers/StoreController.cs
+++ b/test/WebSites/CorsWebSite/Controllers/StoreController.cs
@ -0,0 +1,46 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+using Microsoft.AspNet.Cors;
+using Microsoft.AspNet.Mvc;
+
+namespace CorsWebSite.Controllers
+{
+    [AllRequestsBlockingAuthorizationFilter]
+    [EnableCors("AllowAll")]
+    [Route("api/store/[action]")]
+    public class StoreController : Controller
+    {
+        [HttpGet]
+        public IEnumerable<string> ActionUsingControllerCorsSettings()
+        {
+            return new string[] { "product1", "product2" };
+        }
+
+        [HttpGet]
+        [EnableCors("Allow example.com")]
+        public string ActionWithCorsSettings()
+        {
+            return "product1";
+        }
+
+        // Irrespective of where(controller or action) the Cors filter is applied, Cors filters should be
+        // executed before any other type of authorization filters.
+        [HttpGet]
+        [DisableCors]
+        public string ActionWithCorsDisabled()
+        {
+            return "product1";
+        }
+
+        // Irrespective of where(controller or action) the Cors filter is applied, Cors filters should be
+        // executed before any other type of authorization filters.
+        [HttpGet]
+        [EnableCors("Allow example.com")]
+        public string ActionWithDifferentCorsPolicy()
+        {
+            return "product1";
+        }
+    }
+}
--- a/test/WebSites/CorsWebSite/Filters/AllRequestsBlockingAuthorizationFilter.cs
+++ b/test/WebSites/CorsWebSite/Filters/AllRequestsBlockingAuthorizationFilter.cs
@ -0,0 +1,22 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Mvc;
+using Microsoft.AspNet.Mvc.Filters;
+
+namespace CorsWebSite
+{
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
+    public class AllRequestsBlockingAuthorizationFilter : Attribute, IAuthorizationFilter
+    {
+        public void OnAuthorization(AuthorizationContext context)
+        {
+            context.Result = new ContentResult()
+            {
+                Content = "You are unauthorized!!",
+                StatusCode = 401
+            };
+        }
+    }
+}
--- a/test/WebSites/CorsWebSite/Startup.cs
+++ b/test/WebSites/CorsWebSite/Startup.cs
@ -47,6 +47,26 @@ namespace CorsWebSite
                               .WithMethods("PUT", "POST")
                               .WithExposedHeaders("exposed1", "exposed2");
                    });
+
+                options.AddPolicy(
+                    "AllowAll",
+                    builder =>
+                    {
+                        builder.AllowCredentials()
+                               .AllowAnyMethod()
+                               .AllowAnyHeader()
+                               .AllowAnyOrigin();
+                    });
+
+                options.AddPolicy(
+                    "Allow example.com",
+                    builder =>
+                    {
+                        builder.AllowCredentials()
+                               .AllowAnyMethod()
+                               .AllowAnyHeader()
+                               .WithOrigins("http://example.com");
+                    });
            });
        }