Access-Control-Allow-Credentials default value

Update docs/src/main/asciidoc/http-reference.adoc

Co-authored-by: Guillaume Smet <[email protected]>

config type + tests

change origin match rules

change config to Optional<Boolean>

docs/src/main/asciidoc/http-reference.adoc

@@ -184,6 +184,8 @@ not set.
 |quarkus.http.cors.exposed-headers||The comma-separated list of HTTP headers exposed in CORS.
 |quarkus.http.cors.access-control-max-age||The duration (see note below) indicating how long the results of a pre-flight request can be cached.
 This value will be returned in a `Access-Control-Max-Age` response header.
+|quarkus.http.cors.access-control-allow-credentials||Boolean value to tell the browsers to expose the response to front-end JavaScript code
+when the request’s credentials mode Request.credentials is “include”
 |===
 
 
@@ -199,6 +201,7 @@ quarkus.http.cors.methods=GET,PUT,POST
 quarkus.http.cors.headers=X-Custom
 quarkus.http.cors.exposed-headers=Content-Disposition
 quarkus.http.cors.access-control-max-age=24H
+quarkus.http.cors.access-control-allow-credentials=true
 ----
 
 == HTTP Limits Configuration
@@ -266,4 +269,3 @@ link:http://undertow.io/undertow-docs/undertow-docs-2.0.0/index.html#predicates-
 === web.xml
 
 If you are using a `web.xml` file as your configuration file, you can place it in the `src/main/resources/META-INF` directory.
-

extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSFullConfigHandlerTestCase.java

@@ -31,6 +31,7 @@ public void corsFullConfigTestServlet() {
                 .header("Access-Control-Allow-Methods", "GET")
                 .header("Access-Control-Expose-Headers", "Content-Disposition")
                 .header("Access-Control-Allow-Headers", "X-Custom")
+                .header("Access-Control-Allow-Credentials", "false")
                 .header("Access-Control-Max-Age", "86400");
 
         given().header("Origin", "http://www.quarkus.io")
@@ -40,6 +41,7 @@ public void corsFullConfigTestServlet() {
                 .statusCode(200)
                 .header("Access-Control-Allow-Origin", "http://www.quarkus.io")
                 .header("Access-Control-Allow-Methods", "PUT,POST")
+                .header("Access-Control-Allow-Credentials", "false")
                 .header("Access-Control-Expose-Headers", "Content-Disposition");
     }
 
@@ -56,6 +58,7 @@ public void corsPartialMethodsTestServlet() {
                 .header("Access-Control-Allow-Origin", "http://custom.origin.quarkus")
                 .header("Access-Control-Allow-Methods", "GET") // Should not return DELETE
                 .header("Access-Control-Expose-Headers", "Content-Disposition")
+                .header("Access-Control-Allow-Credentials", "false")
                 .header("Access-Control-Allow-Headers", "X-Custom");// Should not return X-Custom2
     }
 

extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSHandlerTestCase.java

@@ -33,6 +33,7 @@ public void corsPreflightTestServlet() {
                 .statusCode(200)
                 .header("Access-Control-Allow-Origin", origin)
                 .header("Access-Control-Allow-Methods", methods)
+                .header("Access-Control-Allow-Credentials", "true")
                 .header("Access-Control-Allow-Headers", headers);
     }
 
@@ -52,6 +53,7 @@ public void corsNoPreflightTestServlet() {
                 .header("Access-Control-Allow-Origin", origin)
                 .header("Access-Control-Allow-Methods", methods)
                 .header("Access-Control-Allow-Headers", headers)
+                .header("Access-Control-Allow-Credentials", "true")
                 .body(is("test route"));
     }
 

extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSHandlerTestWildcardOriginCase.java

@@ -0,0 +1,65 @@
+package io.quarkus.vertx.http.cors;
+
+import static io.restassured.RestAssured.given;
+
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+
+class CORSHandlerTestWildcardOriginCase {
+
+    @RegisterExtension
+    static QuarkusUnitTest runner = new QuarkusUnitTest()
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class)
+                    .addClasses(BeanRegisteringRoute.class)
+                    .addAsResource("conf/cors-config-wildcard-origins.properties", "application.properties"));
+
+    @Test
+    @DisplayName("Returns true 'Access-Control-Allow-Credentials' header on matching origin")
+    void corsMatchingOrigin() {
+        String origin = "http://custom.origin.quarkus";
+        String methods = "GET,POST";
+        String headers = "X-Custom";
+        given().header("Origin", origin)
+                .header("Access-Control-Request-Method", methods)
+                .header("Access-Control-Request-Headers", headers)
+                .when()
+                .options("/test").then()
+                .statusCode(200)
+                .header("Access-Control-Allow-Credentials", "true");
+    }
+
+    @Test
+    @DisplayName("Returns false 'Access-Control-Allow-Credentials' header on matching origin")
+    void corsNotMatchingOrigin() {
+        String origin = "http://non.matching.origin.quarkus";
+        String methods = "GET,POST";
+        String headers = "X-Custom";
+        given().header("Origin", origin)
+                .header("Access-Control-Request-Method", methods)
+                .header("Access-Control-Request-Headers", headers)
+                .when()
+                .options("/test").then()
+                .statusCode(200)
+                .header("Access-Control-Allow-Credentials", "false");
+    }
+
+    @Test
+    @DisplayName("Returns false 'Access-Control-Allow-Credentials' header on matching origin '*'")
+    void corsMatchingOriginWithWildcard() {
+        String origin = "*";
+        String methods = "GET,POST";
+        String headers = "X-Custom";
+        given().header("Origin", origin)
+                .header("Access-Control-Request-Method", methods)
+                .header("Access-Control-Request-Headers", headers)
+                .when()
+                .options("/test").then()
+                .statusCode(200)
+                .header("Access-Control-Allow-Credentials", "false");
+    }
+}

extensions/vertx-http/deployment/src/test/resources/conf/cors-config-full.properties

@@ -4,3 +4,4 @@ quarkus.http.cors.methods=GET,PUT,POST
 quarkus.http.cors.headers=X-Custom
 quarkus.http.cors.exposed-headers=Content-Disposition
 quarkus.http.cors.access-control-max-age=24H
+quarkus.http.cors.access-control-allow-credentials=false

extensions/vertx-http/deployment/src/test/resources/conf/cors-config-wildcard-origins.properties

@@ -0,0 +1,3 @@
+quarkus.http.cors=true
+quarkus.http.cors.origins=http://custom.origin.quarkus,*
+quarkus.http.cors.methods=GET,OPTIONS,POST

extensions/vertx-http/deployment/src/test/resources/conf/cors-config.properties

@@ -1,3 +1,4 @@
 quarkus.http.cors=true
 # whitespaces added to test that they are not taken into account config is parsed
 quarkus.http.cors.methods=GET, OPTIONS, POST
+quarkus.http.cors.access-control-allow-credentials=true

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSConfig.java

@@ -61,6 +61,17 @@ public class CORSConfig {
     @ConfigItem
     public Optional<Duration> accessControlMaxAge;
 
+    /**
+     * The `Access-Control-Allow-Credentials` header is used to tell the
+     * browsers to expose the response to front-end JavaScript code when
+     * the request’s credentials mode Request.credentials is “include”.
+     *
+     * The value of this header will default to `true` if `quarkus.http.cors.origins` property is set and
+     * there is a match with the precise `Origin` header and that header is not '*'.
+     */
+    @ConfigItem
+    public Optional<Boolean> accessControlAllowCredentials;
+
     @Override
     public String toString() {
         return "CORSConfig{" +
@@ -69,6 +80,7 @@ public String toString() {
                 ", headers=" + headers +
                 ", exposedHeaders=" + exposedHeaders +
                 ", accessControlMaxAge=" + accessControlMaxAge +
+                ", accessControlAllowCredentials=" + accessControlAllowCredentials +
                 '}';
     }
 }

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java

@@ -97,7 +97,11 @@ public void handle(RoutingContext event) {
                 response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
             }
 
-            response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
+            boolean allowCredentials = corsConfig.accessControlAllowCredentials
+                    .orElseGet(() -> corsConfig.origins.isPresent() && corsConfig.origins.get().contains(origin)
+                            && !origin.equals("*"));
+
+            response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, String.valueOf(allowCredentials));
 
             final Optional<List<String>> exposedHeaders = corsConfig.exposedHeaders;