apisix
apisix copied to clipboard
apache
bug: allow_origins_by_metadata does not work without allow_origins
Current Behavior
If a user sets up cors plugin and uses allow_origins_by_metadata and does not add allow_origins explicitly in the request, the cors plugin returns CORS headers for all URLs.
Expected Behavior
The user expects the cors plugin to return CORS headers for the URLs in the metadata key matching with plugin metadata only.
Error Logs
There is no error log for this bug. The plugin applies the rules successfully.
Steps to Reproduce
- Run APISIX locally
- Add plugin metadata to
corsusing this request, replace${ADMIN_API_KEY}with your admin API key :
curl "http://127.0.0.1:9180/apisix/admin/plugin_metadata/cors" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"allow_origins": {
"key_1": "https://domain.com"
},
"inactive_timeout": 1
}'
- Register a route with
allow_origins_with_metadataand without mentioningallow_origins, using this request :
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "cors-route",
"uri": "/anything",
"plugins": {
"cors": {
"allow_methods": "GET,POST",
"allow_headers": "headr1,headr2",
"expose_headers": "ex-headr1,ex-headr2",
"max_age": 50,
"allow_origins_by_metadata": ["key_1"]
}
},
"upstream": {
"nodes": {
"httpbin.org:80 ": 1
},
"type": "roundrobin"
}
}'
- Make a request to the endpoint using host mentioned in the plugin metadata (here :
http://domain.com) :
curl "http://127.0.0.1:9080/anything" -H "Origin: https://domain.com" -I
Response
...
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/3.8.0
Access-Control-Allow-Methods: GET,POST
Access-Control-Max-Age: 50
Access-Control-Expose-Headers: ex-headr1,ex-headr2
Access-Control-Allow-Headers: headr1,headr2
- Now make a request with another domain not present in the metadata value :
curl "http://127.0.0.1:9080/anything" -H "Origin: https://test.com" -I
Response :
...
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/3.8.0
Access-Control-Allow-Methods: GET,POST
Access-Control-Max-Age: 50
Access-Control-Expose-Headers: ex-headr1,ex-headr2
Access-Control-Allow-Headers: headr1,headr2
The response still returns CORS headers. But if you mention allow_origins in the plugin route, it returns CORS for the value present in the metadata only, it does not return CORS for the allow_origins value.
- Update the route :
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "cors-route",
"uri": "/anything",
"plugins": {
"cors": {
"allow_methods": "GET,POST",
"allow_headers": "headr1,headr2",
"expose_headers": "ex-headr1,ex-headr2",
"max_age": 50,
"allow_origins_by_metadata": ["key_1"],
"allow_origins" : "http://test.com"
}
},
"upstream": {
"nodes": {
"httpbin.org:80 ": 1
},
"type": "roundrobin"
}
}'
- Make request with Origin with the value from metadata :
curl "http://127.0.0.1:9080/anything" -H "Origin: https://domain.com" -I
Response
...
Access-Control-Allow-Origin: https://domain.com
Access-Control-Allow-Credentials: true
Server: APISIX/3.8.0
Vary: Origin
Access-Control-Allow-Methods: GET,POST
Access-Control-Max-Age: 50
Access-Control-Expose-Headers: ex-headr1,ex-headr2
Access-Control-Allow-Headers: headr1,headr2
- Make request with a random value :
curl "http://127.0.0.1:9080/anything" -H "Origin: https://abc.com" -I
Response
...
Access-Control-Allow-Origin: https://abc.com
Access-Control-Allow-Credentials: true
Server: APISIX/3.8.0
Vary: Origin
- Make request with the value in the
allow_originsfield :
curl "http://127.0.0.1:9080/anything" -H "Origin: https://test.com" -I
Response :
...
Access-Control-Allow-Origin: https://test.com
Access-Control-Allow-Credentials: true
Server: APISIX/3.8.0
Vary: Origin
Environment
- APISIX version (run
apisix version): 3.8.0 - Operating system (run
uname -a):Linux rog 6.7.4-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 05 Feb 2024 22:07:49 +0000 x86_64 GNU/Linux - OpenResty / Nginx version (run
openresty -Vornginx -V):
nginx version: openresty/1.21.4.3
built by gcc 13.2.1 20230801 (GCC)
built with OpenSSL 3.2.0 23 Nov 2023 (running with OpenSSL 3.2.1 30 Jan 2024)
TLS SNI support enabled
configure arguments: --prefix=/opt/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.13 --with-ld-opt=-Wl,-rpath,/opt/openresty/luajit/lib --add-module=/home/wazir/workspace/internships/api7/openresty-1.21.4.3/../mod_dubbo --add-module=/home/wazir/workspace/internships/api7/openresty-1.21.4.3/../ngx_multi_upstream_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
- etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info):{"boot_time":1708332811,"etcd_version":"3.5.0","id":"1bc17f04-abdf-4113-92c9-c0ce67606cac","hostname":"rog","version":"3.8.0"} - APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run
luarocks --version): 3.8.0
