Upstream/Plan
1
0
Fork 0
mirror of https://github.com/plan-player-analytics/Plan.git synced 2025-02-01 21:11:23 +01:00
Code Issues Projects Releases Wiki Activity

Implemented Access-Control-Allow-Origin

Browse Source 
- Added Config setting Webserver.Security.CORS.Allow_origin
- Webserver returns the header for all requests
- Added an HTTP 204 response for OPTIONS-method to speed up CORS requests.

Affects issues:
- Close #1251
This commit is contained in:
Rsl1122 2019-12-16 12:36:14 +02:00
parent eb7dd381b1
commit 13e00543c2
6 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/RequestHandler.java
View File

@ -24,6 +24,7 @@ import com.djrapitops.plan.delivery.webserver.response.ResponseFactory;
import com.djrapitops.plan.delivery.webserver.response.errors.ForbiddenResponse; import com.djrapitops.plan.delivery.webserver.response.errors.ForbiddenResponse;
import com.djrapitops.plan.settings.config.PlanConfig; import com.djrapitops.plan.settings.config.PlanConfig;
import com.djrapitops.plan.settings.config.paths.PluginSettings; import com.djrapitops.plan.settings.config.paths.PluginSettings;
import com.djrapitops.plan.settings.config.paths.WebserverSettings;
import com.djrapitops.plan.settings.locale.Locale; import com.djrapitops.plan.settings.locale.Locale;
import com.djrapitops.plan.settings.theme.Theme; import com.djrapitops.plan.settings.theme.Theme;
import com.djrapitops.plan.storage.database.DBSystem; import com.djrapitops.plan.storage.database.DBSystem;
@ -96,7 +97,7 @@ public class RequestHandler implements HttpHandler {
try { try {
Response response = shouldPreventRequest(request.getRemoteAddress()) // Forbidden response (Optional) Response response = shouldPreventRequest(request.getRemoteAddress()) // Forbidden response (Optional)
.orElse(responseResolver.getResponse(request)); // Or the actual requested response .orElseGet(() -> responseResolver.getResponse(request)); // Or the actual requested response
// Increase attempt count and block if too high // Increase attempt count and block if too high
Optional<Response> forbid = handlePasswordBruteForceAttempts(request, response); Optional<Response> forbid = handlePasswordBruteForceAttempts(request, response);
@ -109,6 +110,8 @@ public class RequestHandler implements HttpHandler {
responseHeaders.set("WWW-Authenticate", response.getHeader("WWW-Authenticate").orElse("Basic realm=\"Plan WebUser (/plan register)\"")); responseHeaders.set("WWW-Authenticate", response.getHeader("WWW-Authenticate").orElse("Basic realm=\"Plan WebUser (/plan register)\""));
} }
responseHeaders.set("Access-Control-Allow-Origin", config.getString(WebserverSettings.CORS_ALLOW_ORIGIN));
responseHeaders.set("Access-Control-Allow-Methods", "GET, OPTIONS");
response.setResponseHeaders(responseHeaders); response.setResponseHeaders(responseHeaders);
response.send(exchange, locale, theme); response.send(exchange, locale, theme);
} catch (Exception e) { } catch (Exception e) {

5
Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/ResponseResolver.java
View File

@ -19,6 +19,7 @@ package com.djrapitops.plan.delivery.webserver;
import com.djrapitops.plan.delivery.webserver.auth.Authentication; import com.djrapitops.plan.delivery.webserver.auth.Authentication;
import com.djrapitops.plan.delivery.webserver.pages.*; import com.djrapitops.plan.delivery.webserver.pages.*;
import com.djrapitops.plan.delivery.webserver.pages.json.RootJSONResolver; import com.djrapitops.plan.delivery.webserver.pages.json.RootJSONResolver;
import com.djrapitops.plan.delivery.webserver.response.OptionsResponse;
import com.djrapitops.plan.delivery.webserver.response.Response; import com.djrapitops.plan.delivery.webserver.response.Response;
import com.djrapitops.plan.delivery.webserver.response.ResponseFactory; import com.djrapitops.plan.delivery.webserver.response.ResponseFactory;
import com.djrapitops.plan.exceptions.WebUserAuthException; import com.djrapitops.plan.exceptions.WebUserAuthException;
@ -116,6 +117,10 @@ public class ResponseResolver extends CompositePageResolver {
RequestTarget target = request.getTarget(); RequestTarget target = request.getTarget();
String resource = target.getResourceString(); String resource = target.getResourceString();
if ("OPTIONS".equalsIgnoreCase(request.getRequestMethod())) {
return new OptionsResponse();
}
if (target.endsWith(".css")) { if (target.endsWith(".css")) {
return responseFactory.cssResponse(resource); return responseFactory.cssResponse(resource);
} }

30
Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/response/OptionsResponse.java Normal file
View File

@ -0,0 +1,30 @@
/*
* This file is part of Player Analytics (Plan).
*
* Plan is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License v3 as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Plan is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Plan. If not, see <https://www.gnu.org/licenses/>.
*/
package com.djrapitops.plan.delivery.webserver.response;
/**
* Response for an OPTIONS request.
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
*
* @author Rsl1122
*/
public class OptionsResponse extends Response {
public OptionsResponse() {
setHeader("HTTP/1.1 204 No Content");
}
}

1
Plan/common/src/main/java/com/djrapitops/plan/settings/config/paths/WebserverSettings.java
View File

@ -32,6 +32,7 @@ public class WebserverSettings {
public static final Setting<Boolean> SHOW_ALTERNATIVE_IP = new BooleanSetting("Webserver.Alternative_IP"); public static final Setting<Boolean> SHOW_ALTERNATIVE_IP = new BooleanSetting("Webserver.Alternative_IP");
public static final Setting<String> ALTERNATIVE_IP = new StringSetting("Webserver.Alternative_IP.Address"); public static final Setting<String> ALTERNATIVE_IP = new StringSetting("Webserver.Alternative_IP.Address");
public static final Setting<String> INTERNAL_IP = new StringSetting("Webserver.Internal_IP"); public static final Setting<String> INTERNAL_IP = new StringSetting("Webserver.Internal_IP");
public static final Setting<String> CORS_ALLOW_ORIGIN = new StringSetting("Webserver.Security.CORS.Allow_origin");
public static final Setting<String> CERTIFICATE_PATH = new StringSetting("Webserver.Security.SSL_certificate.KeyStore_path"); public static final Setting<String> CERTIFICATE_PATH = new StringSetting("Webserver.Security.SSL_certificate.KeyStore_path");
public static final Setting<String> CERTIFICATE_KEYPASS = new StringSetting("Webserver.Security.SSL_certificate.Key_pass"); public static final Setting<String> CERTIFICATE_KEYPASS = new StringSetting("Webserver.Security.SSL_certificate.Key_pass");
public static final Setting<String> CERTIFICATE_STOREPASS = new StringSetting("Webserver.Security.SSL_certificate.Store_pass"); public static final Setting<String> CERTIFICATE_STOREPASS = new StringSetting("Webserver.Security.SSL_certificate.Store_pass");

4
Plan/common/src/main/resources/assets/plan/bungeeconfig.yml
View File

@ -50,6 +50,10 @@ Webserver:
Key_pass: default Key_pass: default
Store_pass: default Store_pass: default
Alias: alias Alias: alias
# Cross-Origin Resource Sharing (Requests from non-Plan web pages)
# https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
CORS:
Allow_origin: "*"
Disable_Webserver: false Disable_Webserver: false
External_Webserver_address: "https://www.example.address" External_Webserver_address: "https://www.example.address"
# ----------------------------------------------------- # -----------------------------------------------------

4
Plan/common/src/main/resources/assets/plan/config.yml
View File

@ -52,6 +52,10 @@ Webserver:
Key_pass: default Key_pass: default
Store_pass: default Store_pass: default
Alias: alias Alias: alias
# Cross-Origin Resource Sharing (Requests from non-Plan web pages)
# https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
CORS:
Allow_origin: "*"
Disable_Webserver: false Disable_Webserver: false
External_Webserver_address: https://www.example.address External_Webserver_address: https://www.example.address
# ----------------------------------------------------- # -----------------------------------------------------