From 36c044173da9679cedd9446f53bf86bb39ddd194 Mon Sep 17 00:00:00 2001
From: appflowy <annie@appflowy.io>
Date: Sat, 4 Sep 2021 16:32:34 +0800
Subject: [PATCH] add cors control

---
 backend/Cargo.toml                        |  2 +-
 backend/src/application.rs                |  1 +
 backend/src/middleware/cors_middleware.rs | 17 +++++++++++++++++
 backend/src/middleware/mod.rs             |  2 ++
 4 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 backend/src/middleware/cors_middleware.rs

diff --git a/backend/Cargo.toml b/backend/Cargo.toml
index 5320dbbe30..3420d6ceed 100644
--- a/backend/Cargo.toml
+++ b/backend/Cargo.toml
@@ -17,7 +17,7 @@ actix-rt = "2"
 actix-web-actors = { version = "4.0.0-beta.6" }
 actix-service = "2.0.0-beta.5"
 actix-identity = "0.4.0-beta.2"
-#actix-cors = "0.5.4"
+actix-cors = "0.6.0-beta.2"
 
 futures = "0.3.15"
 bytes = "1"
diff --git a/backend/src/application.rs b/backend/src/application.rs
index 866e33cd00..e07fe9dc09 100644
--- a/backend/src/application.rs
+++ b/backend/src/application.rs
@@ -53,6 +53,7 @@ pub fn run(listener: TcpListener, app_ctx: AppContext) -> Result<Server, std::io
         App::new()
             .wrap(middleware::Logger::default())
             .wrap(identify_service(&domain, &secret))
+            .wrap(crate::middleware::default_cors())
             .wrap(crate::middleware::AuthenticationService)
             .app_data(web::JsonConfig::default().limit(4096))
             .service(ws_scope())
diff --git a/backend/src/middleware/cors_middleware.rs b/backend/src/middleware/cors_middleware.rs
new file mode 100644
index 0000000000..4b2484c617
--- /dev/null
+++ b/backend/src/middleware/cors_middleware.rs
@@ -0,0 +1,17 @@
+use actix_cors::Cors;
+use actix_web::http;
+use flowy_net::config::HEADER_TOKEN;
+
+// https://javascript.info/fetch-crossorigin#cors-for-safe-requests
+// https://docs.rs/actix-cors/0.5.4/actix_cors/index.html
+// http://www.ruanyifeng.com/blog/2016/04/cors.html
+// Cors short for Cross-Origin Resource Sharing.
+pub fn default_cors() -> Cors {
+    Cors::default() // allowed_origin return access-control-allow-origin: * by default
+        // .allowed_origin("http://127.0.0.1:8080")
+        .send_wildcard()
+        .allowed_methods(vec!["GET", "POST", "PUT", "DELETE"])
+        .allowed_headers(vec![http::header::ACCEPT])
+        .allowed_header(http::header::CONTENT_TYPE)
+        .max_age(3600)
+}
diff --git a/backend/src/middleware/mod.rs b/backend/src/middleware/mod.rs
index 13aef75be1..28e0ccaac9 100644
--- a/backend/src/middleware/mod.rs
+++ b/backend/src/middleware/mod.rs
@@ -1,3 +1,5 @@
 mod auth_middleware;
+mod cors_middleware;
 
 pub use auth_middleware::*;
+pub use cors_middleware::*;