Merge pull request #4013 from crobibero/dynamic-cors

Allow CORS domains to be configured
2020-09-07 19:41:45 -04:00 · 2020-09-07 19:41:45 -04:00 · d08ddbb8d2
parent f43f72e6ce 342de39d78
commit d08ddbb8d2
5 changed files with 61 additions and 37 deletions
--- a/Jellyfin.Server/Configuration/CorsPolicyProvider.cs
+++ b/Jellyfin.Server/Configuration/CorsPolicyProvider.cs
@ -0,0 +1,49 @@
+using System;
+using System.Threading.Tasks;
+using MediaBrowser.Controller.Configuration;
+using Microsoft.AspNetCore.Cors.Infrastructure;
+using Microsoft.AspNetCore.Http;
+
+namespace Jellyfin.Server.Configuration
+{
+    /// <summary>
+    /// Cors policy provider.
+    /// </summary>
+    public class CorsPolicyProvider : ICorsPolicyProvider
+    {
+        private readonly IServerConfigurationManager _serverConfigurationManager;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="CorsPolicyProvider"/> class.
+        /// </summary>
+        /// <param name="serverConfigurationManager">Instance of the <see cref="IServerConfigurationManager"/> interface.</param>
+        public CorsPolicyProvider(IServerConfigurationManager serverConfigurationManager)
+        {
+            _serverConfigurationManager = serverConfigurationManager;
+        }
+
+        /// <inheritdoc />
+        public Task<CorsPolicy> GetPolicyAsync(HttpContext context, string policyName)
+        {
+            var corsHosts = _serverConfigurationManager.Configuration.CorsHosts;
+            var builder = new CorsPolicyBuilder()
+                .AllowAnyMethod()
+                .AllowAnyHeader();
+
+            // No hosts configured or only default configured.
+            if (corsHosts.Length == 0
+                || (corsHosts.Length == 1
+                    && string.Equals(corsHosts[0], CorsConstants.AnyOrigin, StringComparison.Ordinal)))
+            {
+                builder.AllowAnyOrigin();
+            }
+            else
+            {
+                builder.WithOrigins(corsHosts)
+                    .AllowCredentials();
+            }
+
+            return Task.FromResult(builder.Build());
+        }
+    }
+}
--- a/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
+++ b/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
@ -15,13 +15,15 @@ using Jellyfin.Api.Auth.LocalAccessPolicy;
 using Jellyfin.Api.Auth.RequiresElevationPolicy;
 using Jellyfin.Api.Constants;
 using Jellyfin.Api.Controllers;
+using Jellyfin.Server.Configuration;
 using Jellyfin.Server.Formatters;
-using Jellyfin.Server.Models;
+using Jellyfin.Server.Middleware;
 using MediaBrowser.Common.Json;
 using MediaBrowser.Model.Entities;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Cors.Infrastructure;
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.OpenApi.Models;
@ -138,10 +140,8 @@ namespace Jellyfin.Server.Extensions
        public static IMvcBuilder AddJellyfinApi(this IServiceCollection serviceCollection, IEnumerable<Assembly> pluginAssemblies)
        {
            IMvcBuilder mvcBuilder = serviceCollection
-                .AddCors(options =>
-                {
-                    options.AddPolicy(ServerCorsPolicy.DefaultPolicyName, ServerCorsPolicy.DefaultPolicy);
-                })
+                .AddCors()
+                .AddTransient<ICorsPolicyProvider, CorsPolicyProvider>()
                .Configure<ForwardedHeadersOptions>(options =>
                {
                    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
--- a/Jellyfin.Server/Models/ServerCorsPolicy.cs
+++ b/Jellyfin.Server/Models/ServerCorsPolicy.cs
@ -1,30 +0,0 @@
-using Microsoft.AspNetCore.Cors.Infrastructure;
-
-namespace Jellyfin.Server.Models
-{
-    /// <summary>
-    /// Server Cors Policy.
-    /// </summary>
-    public static class ServerCorsPolicy
-    {
-        /// <summary>
-        /// Default policy name.
-        /// </summary>
-        public const string DefaultPolicyName = "DefaultCorsPolicy";
-
-        /// <summary>
-        /// Default Policy. Allow Everything.
-        /// </summary>
-        public static readonly CorsPolicy DefaultPolicy = new CorsPolicy
-        {
-            // Allow any origin
-            Origins = { "*" },
-
-            // Allow any method
-            Methods = { "*" },
-
-            // Allow any header
-            Headers = { "*" }
-        };
-    }
-}
--- a/Jellyfin.Server/Startup.cs
+++ b/Jellyfin.Server/Startup.cs
@ -5,7 +5,6 @@ using Jellyfin.Api.TypeConverters;
 using Jellyfin.Server.Extensions;
 using Jellyfin.Server.Implementations;
 using Jellyfin.Server.Middleware;
-using Jellyfin.Server.Models;
 using MediaBrowser.Common.Net;
 using MediaBrowser.Controller;
 using MediaBrowser.Controller.Configuration;
@ -116,7 +115,7 @@ namespace Jellyfin.Server

                mainApp.UseResponseCompression();

-                mainApp.UseCors(ServerCorsPolicy.DefaultPolicyName);
+                mainApp.UseCors();

                if (_serverConfigurationManager.Configuration.RequireHttps
                    && _serverApplicationHost.ListenWithHttps)
--- a/MediaBrowser.Model/Configuration/ServerConfiguration.cs
+++ b/MediaBrowser.Model/Configuration/ServerConfiguration.cs
@ -263,6 +263,11 @@ namespace MediaBrowser.Model.Configuration
        /// </summary>
        public long SlowResponseThresholdMs { get; set; }

+        /// <summary>
+        /// Gets or sets the cors hosts.
+        /// </summary>
+        public string[] CorsHosts { get; set; }
+
        /// <summary>
        /// Initializes a new instance of the <see cref="ServerConfiguration" /> class.
        /// </summary>
@ -372,6 +377,7 @@ namespace MediaBrowser.Model.Configuration

            EnableSlowResponseWarning = true;
            SlowResponseThresholdMs = 500;
+            CorsHosts = new[] { "*" };
        }
    }