scripts/lua/cors.lua

--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements.  See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License.  You may obtain a copy of the License at
--
--     http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--

--- @module Cors
-- Used to set cors headers for preflight and simple requests

local _M = {}
local request = require 'lib/request'

function _M.processCall(resourceConfig)
  if resourceConfig.cors ~= nil then
    ngx.var.cors_origins = resourceConfig.cors.origin
    ngx.var.cors_methods = resourceConfig.cors.methods
    if resourceConfig.cors.origin ~= 'false' and ngx.req.get_method() == 'OPTIONS' then
      request.success(200)
    end
  end
end

function _M.replaceHeaders()
  if ngx.var.cors_origins ~= nil then
    if ngx.var.cors_origins == 'false' then
      ngx.header['Access-Control-Allow-Origin'] = nil
      ngx.header['Access-Control-Allow-Methods'] = nil
    else
      ngx.header['Access-Control-Allow-Origin'] = ngx.var.cors_origins == 'true' and (ngx.var.http_origin or '*') or ngx.var.cors_origins
      ngx.header['Access-Control-Allow-Methods'] = ngx.var.cors_methods or 'GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS'
      ngx.header['Access-Control-Allow-Headers'] = ngx.req.get_headers()['Access-Control-Request-Headers']
      ngx.header['Access-Control-Allow-Credentials'] = 'true'
    end
  end
end

return _M