Skip to content

feat: Add support for CORS requests from a browser #26314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mgattozzi merged 1 commit into from
Apr 24, 2025
Merged

feat: Add support for CORS requests from a browser #26314

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions influxdb3_server/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ flate2.workspace = true
futures.workspace = true
hashbrown.workspace = true
hex.workspace = true
http.workspace = true
hyper.workspace = true
hyper-rustls.workspace = true
humantime.workspace = true
Expand Down
26 changes: 25 additions & 1 deletion influxdb3_server/src/http.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ use datafusion::execution::memory_pool::UnboundedMemoryPool;
use datafusion::physical_plan::SendableRecordBatchStream;
use futures::FutureExt;
use futures::{StreamExt, TryStreamExt};
use http::header::ACCESS_CONTROL_ALLOW_ORIGIN;
use hyper::HeaderMap;
use hyper::header::AUTHORIZATION;
use hyper::header::CONTENT_ENCODING;
Expand Down Expand Up @@ -1670,6 +1671,26 @@ pub(crate) async fn route_request(
) -> Result<Response<Body>, Infallible> {
let method = req.method().clone();
let uri = req.uri().clone();

// Handle CORS Preflight Checks by allowing everything by default
// and allowing the check to be cached by the browser. This is useful
// for people wanting to query the DB directly from a browser rather
// than from a server. We're permissive about what works with CORS
// so we don't need to check the incoming request, just respond with
// the following headers. We do this before the API token checks as
// the browser will not send a request with an auth header for CORS.
if let Method::OPTIONS = method {
info!(?uri, "preflight request");
Copy link
Copy Markdown
Member

@pauldix pauldix Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be info, might be noisy

Copy link
Copy Markdown
Contributor Author

@mgattozzi mgattozzi Apr 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh when I went to merge this comment showed up in my browser tab which I just had open for a few days. We could change it to debug. Wouldn't be a bad thing

return Ok(Response::builder()
.header("Access-Control-Allow-Origin", "*")
.header("Access-Control-Allow-Methods", "*")
.header("Access-Control-Allow-Headers", "*")
.header("Access-Control-Max-Age", "86400")
.status(204)
.body(Body::empty())
.expect("Able to always create a valid response type for CORS"));
}

if started_without_auth && uri.path().starts_with(all_paths::API_V3_CONFIGURE_TOKEN) {
return Ok(Response::builder()
.status(StatusCode::METHOD_NOT_ALLOWED)
Expand Down Expand Up @@ -1792,7 +1813,10 @@ pub(crate) async fn route_request(

// TODO: Move logging to TraceLayer
match response {
Ok(response) => {
Ok(mut response) => {
response
.headers_mut()
.insert(ACCESS_CONTROL_ALLOW_ORIGIN, HeaderValue::from_static("*"));
debug!(?response, "Successfully processed request");
Ok(response)
}
Expand Down