move Access-Control-Allow-Origin to httpp.Server

Author: aler9

internal/api/api.go

@@ -6,10 +6,8 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/url"
 	"os"
 	"reflect"
-	"regexp"
 	"sort"
 	"strings"
 	"sync"
@@ -78,71 +76,6 @@ func recordingsOfPath(
 	return ret
 }
 
-var errOriginNotAllowed = errors.New("origin not allowed")
-
-func isOriginAllowed(origin string, allowOrigins []string) (string, error) {
-	if len(allowOrigins) == 0 {
-		return "", errOriginNotAllowed
-	}
-
-	for _, o := range allowOrigins {
-		if o == "*" {
-			return o, nil
-		}
-	}
-
-	if origin == "" {
-		return "", errOriginNotAllowed
-	}
-
-	originURL, err := url.Parse(origin)
-	if err != nil || originURL.Scheme == "" {
-		return "", errOriginNotAllowed
-	}
-
-	if originURL.Port() == "" && originURL.Scheme != "" {
-		switch originURL.Scheme {
-		case "http":
-			originURL.Host = net.JoinHostPort(originURL.Host, "80")
-		case "https":
-			originURL.Host = net.JoinHostPort(originURL.Host, "443")
-		}
-	}
-
-	for _, o := range allowOrigins {
-		allowedURL, errAllowed := url.Parse(o)
-		if errAllowed != nil {
-			continue
-		}
-
-		if allowedURL.Port() == "" {
-			switch allowedURL.Scheme {
-			case "http":
-				allowedURL.Host = net.JoinHostPort(allowedURL.Host, "80")
-			case "https":
-				allowedURL.Host = net.JoinHostPort(allowedURL.Host, "443")
-			}
-		}
-
-		if allowedURL.Scheme == originURL.Scheme &&
-			allowedURL.Host == originURL.Host &&
-			allowedURL.Port() == originURL.Port() {
-			return origin, nil
-		}
-
-		if strings.Contains(allowedURL.Host, "*") {
-			pattern := strings.ReplaceAll(allowedURL.Host, "*.", "(.*\\.)?")
-			pattern = strings.ReplaceAll(pattern, "*", ".*")
-			matched, errMatched := regexp.MatchString("^"+pattern+"$", originURL.Host)
-			if errMatched == nil && matched {
-				return origin, nil
-			}
-		}
-	}
-
-	return "", errOriginNotAllowed
-}
-
 type apiAuthManager interface {
 	Authenticate(req *auth.Request) *auth.Error
 	RefreshJWTJWKS()
@@ -186,7 +119,7 @@ func (a *API) Initialize() error {
 	router := gin.New()
 	router.SetTrustedProxies(a.TrustedProxies.ToTrustedProxies()) //nolint:errcheck
 
-	router.Use(a.middlewareOrigin)
+	router.Use(a.middlewarePreflightRequests)
 	router.Use(a.middlewareAuth)
 
 	group := router.Group("/v3")
@@ -262,6 +195,7 @@ func (a *API) Initialize() error {
 
 	a.httpServer = &httpp.Server{
 		Address:      a.Address,
+		AllowOrigins: a.AllowOrigins,
 		ReadTimeout:  time.Duration(a.ReadTimeout),
 		WriteTimeout: time.Duration(a.WriteTimeout),
 		Encryption:   a.Encryption,
@@ -301,16 +235,7 @@ func (a *API) writeError(ctx *gin.Context, status int, err error) {
 	})
 }
 
-func (a *API) middlewareOrigin(ctx *gin.Context) {
-	origin, err := isOriginAllowed(ctx.Request.Header.Get("Origin"), a.AllowOrigins)
-	if err != nil {
-		return
-	}
-
-	ctx.Header("Access-Control-Allow-Origin", origin)
-	ctx.Header("Access-Control-Allow-Credentials", "true")
-
-	// preflight requests
+func (a *API) middlewarePreflightRequests(ctx *gin.Context) {
 	if ctx.Request.Method == http.MethodOptions &&
 		ctx.Request.Header.Get("Access-Control-Request-Method") != "" {
 		ctx.Header("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PATCH, DELETE")

internal/api/api_test.go

@@ -3,7 +3,6 @@ package api
 import (
 	"bytes"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -119,98 +118,6 @@ func TestPreflightRequest(t *testing.T) {
 	require.Equal(t, byts, []byte{})
 }
 
-func TestMiddlewareOrigin(t *testing.T) {
-	allowOrigins := []string{}
-	origin := ""
-	allowedOrigin, err := isOriginAllowed(origin, allowOrigins)
-	if err == nil {
-		t.Fatalf("expected error for empty origin, got nil")
-	}
-	if allowedOrigin != "" {
-		t.Fatalf("expected empty allowed origin, got %s", allowedOrigin)
-	}
-
-	allowOrigins = []string{"http://example.com"}
-	allowedOrigin, err = isOriginAllowed(origin, allowOrigins)
-	if err == nil {
-		t.Fatalf("expected error for empty origin with allowed origins, got nil")
-	}
-	if allowedOrigin != "" {
-		t.Fatalf("unexpected allowed origin: %s", allowedOrigin)
-	}
-
-	allowOrigins = []string{"*"}
-	allowedOrigin, err = isOriginAllowed(origin, allowOrigins)
-	if err != nil {
-		t.Fatalf("unexpected error for wildcard origin: %v", err)
-	}
-	if allowedOrigin != "*" {
-		t.Fatalf("unexpected allowed origin: %s", allowedOrigin)
-	}
-
-	origin = "http://example.com"
-	allowedOrigin, err = isOriginAllowed(origin, allowOrigins)
-	if err != nil {
-		t.Fatalf("unexpected error for matching wildcard: %v", err)
-	}
-	if allowedOrigin != "*" {
-		t.Fatalf("unexpected allowed origin: %s", allowedOrigin)
-	}
-
-	allowOrigins = []string{"http://example.com", "https://example.org"}
-	allowedOrigin, err = isOriginAllowed(origin, allowOrigins)
-	if err != nil {
-		t.Fatalf("unexpected error for matching origin: %v", err)
-	}
-	if allowedOrigin != origin {
-		t.Fatalf("expected empty allowed origin, got %s", allowedOrigin)
-	}
-
-	allowedOrigin, err = isOriginAllowed(origin, allowOrigins)
-	if err != nil {
-		t.Fatalf("unexpected error for matching origin: %v", err)
-	}
-	if allowedOrigin != origin {
-		t.Fatalf("unexpected allowed origin: %s", allowedOrigin)
-	}
-
-	origin = "https://example.org"
-	allowedOrigin, err = isOriginAllowed(origin, allowOrigins)
-	if err != nil {
-		t.Fatalf("unexpected error for matching origin: %v", err)
-	}
-	if allowedOrigin != origin {
-		t.Fatalf("unexpected allowed origin: %s", allowedOrigin)
-	}
-
-	allowedOrigin, err = isOriginAllowed("http://notallowed.com", allowOrigins)
-	if !errors.Is(err, errOriginNotAllowed) {
-		t.Fatalf("expected errOriginNotAllowed for disallowed origin, got %v", err)
-	}
-	if allowedOrigin != "" {
-		t.Fatalf("expected empty allowed origin, got %s", allowedOrigin)
-	}
-
-	allowOrigins = []string{"http://*.example.com"}
-	origin = "http://test.example.com"
-	allowedOrigin, err = isOriginAllowed(origin, allowOrigins)
-	if err != nil {
-		t.Fatalf("unexpected error for wildcard subdomain: %v", err)
-	}
-	if allowedOrigin != origin {
-		t.Fatalf("unexpected allowed origin: %s", allowedOrigin)
-	}
-
-	origin = "http://example.com"
-	allowedOrigin, err = isOriginAllowed(origin, allowOrigins)
-	if err != nil {
-		t.Fatalf("unexpected error for exact subdomain match: %v", err)
-	}
-	if allowedOrigin != origin {
-		t.Fatalf("unexpected allowed origin: %s", allowedOrigin)
-	}
-}
-
 func TestInfo(t *testing.T) {
 	cnf := tempConf(t, "api: yes\n")
 

internal/metrics/metrics.go

@@ -98,13 +98,14 @@ func (m *Metrics) Initialize() error {
 	router := gin.New()
 	router.SetTrustedProxies(m.TrustedProxies.ToTrustedProxies()) //nolint:errcheck
 
-	router.Use(m.middlewareOrigin)
+	router.Use(m.middlewarePreflightRequests)
 	router.Use(m.middlewareAuth)
 
 	router.GET("/metrics", m.onMetrics)
 
 	m.httpServer = &httpp.Server{
 		Address:      m.Address,
+		AllowOrigins: []string{m.AllowOrigin},
 		ReadTimeout:  time.Duration(m.ReadTimeout),
 		WriteTimeout: time.Duration(m.WriteTimeout),
 		Encryption:   m.Encryption,
@@ -134,11 +135,7 @@ func (m *Metrics) Log(level logger.Level, format string, args ...any) {
 	m.Parent.Log(level, "[metrics] "+format, args...)
 }
 
-func (m *Metrics) middlewareOrigin(ctx *gin.Context) {
-	ctx.Header("Access-Control-Allow-Origin", m.AllowOrigin)
-	ctx.Header("Access-Control-Allow-Credentials", "true")
-
-	// preflight requests
+func (m *Metrics) middlewarePreflightRequests(ctx *gin.Context) {
 	if ctx.Request.Method == http.MethodOptions &&
 		ctx.Request.Header.Get("Access-Control-Request-Method") != "" {
 		ctx.Header("Access-Control-Allow-Methods", "OPTIONS, GET")

internal/playback/server.go

@@ -41,13 +41,14 @@ func (s *Server) Initialize() error {
 	router := gin.New()
 	router.SetTrustedProxies(s.TrustedProxies.ToTrustedProxies()) //nolint:errcheck
 
-	router.Use(s.middlewareOrigin)
+	router.Use(s.middlewarePreflightRequests)
 
 	router.GET("/list", s.onList)
 	router.GET("/get", s.onGet)
 
 	s.httpServer = &httpp.Server{
 		Address:      s.Address,
+		AllowOrigins: []string{s.AllowOrigin},
 		ReadTimeout:  time.Duration(s.ReadTimeout),
 		WriteTimeout: time.Duration(s.WriteTimeout),
 		Encryption:   s.Encryption,
@@ -100,11 +101,7 @@ func (s *Server) safeFindPathConf(name string) (*conf.Path, error) {
 	return pathConf, err
 }
 
-func (s *Server) middlewareOrigin(ctx *gin.Context) {
-	ctx.Header("Access-Control-Allow-Origin", s.AllowOrigin)
-	ctx.Header("Access-Control-Allow-Credentials", "true")
-
-	// preflight requests
+func (s *Server) middlewarePreflightRequests(ctx *gin.Context) {
 	if ctx.Request.Method == http.MethodOptions &&
 		ctx.Request.Header.Get("Access-Control-Request-Method") != "" {
 		ctx.Header("Access-Control-Allow-Methods", "OPTIONS, GET")

internal/pprof/pprof.go

@@ -44,13 +44,14 @@ func (pp *PPROF) Initialize() error {
 	router := gin.New()
 	router.SetTrustedProxies(pp.TrustedProxies.ToTrustedProxies()) //nolint:errcheck
 
-	router.Use(pp.middlewareOrigin)
+	router.Use(pp.middlewarePreflightRequests)
 	router.Use(pp.middlewareAuth)
 
 	pprof.Register(router)
 
 	pp.httpServer = &httpp.Server{
 		Address:      pp.Address,
+		AllowOrigins: []string{pp.AllowOrigin},
 		ReadTimeout:  time.Duration(pp.ReadTimeout),
 		WriteTimeout: time.Duration(pp.WriteTimeout),
 		Encryption:   pp.Encryption,
@@ -80,11 +81,7 @@ func (pp *PPROF) Log(level logger.Level, format string, args ...any) {
 	pp.Parent.Log(level, "[pprof] "+format, args...)
 }
 
-func (pp *PPROF) middlewareOrigin(ctx *gin.Context) {
-	ctx.Header("Access-Control-Allow-Origin", pp.AllowOrigin)
-	ctx.Header("Access-Control-Allow-Credentials", "true")
-
-	// preflight requests
+func (pp *PPROF) middlewarePreflightRequests(ctx *gin.Context) {
 	if ctx.Request.Method == http.MethodOptions &&
 		ctx.Request.Header.Get("Access-Control-Request-Method") != "" {
 		ctx.Header("Access-Control-Allow-Methods", "OPTIONS, GET")

internal/protocols/httpp/handler_filter_requests_test.go

@@ -0,0 +1,42 @@
+package httpp
+
+import (
+	"net"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/bluenviron/mediamtx/internal/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHandlerFilterRequests(t *testing.T) {
+	s := &Server{
+		Address:      "localhost:4555",
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+		Parent:       test.NilLogger,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}),
+	}
+	err := s.Initialize()
+	require.NoError(t, err)
+	defer s.Close()
+
+	conn, err := net.Dial("tcp", "localhost:4555")
+	require.NoError(t, err)
+	defer conn.Close()
+
+	_, err = conn.Write([]byte("OPTIONS / HTTP/1.1\n" +
+		"Host: localhost:8889\n\n"))
+	require.NoError(t, err)
+
+	buf := make([]byte, 200)
+	n, err := conn.Read(buf)
+	require.NoError(t, err)
+
+	res := strings.Split(string(buf[:n]), "\r\n")
+	require.Equal(t, "HTTP/1.1 200 OK", res[0])
+}