server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon nextcloud

Draft proposal of allowed origins cors list

Open aleixq opened this issue 2 years ago • 3 comments

  • Covers: #37716

Summary

This is a WIP draft PR, that partially implements allowed origins list, to not open everywhere the nextcloud ocs and external api, and allowing to open some parts as the interaction will be limited. This is planned in a way that the desired endpoints will use the apicontroller instead of the base controller, so they can use the inherited preflighted_cors method.

When using so and adding the annotation @cors in desired method, filter will be done, The definition of the allowed origins will be done in system and in the (to be defined) app in a general and in a app manner, so for example in case of files_sharing will check in config.php for list of allowed_origins, then in (tbd) app settings, then will check also in config.php the value of files_sharing.allowed_origins and in (tbd) app settings the value of files_sharing.allowed_origins.

If http_origin header matches any entry in these settings will allow the use of api from this origin url.

As example I am allowing the preview endpoint only but it culd be opened to other endpoints easily, just grab the code and define

  'allowed_origins' => array(
    'https://example.com',
  ),

in config.php

then check if you can get a preview when calling from the allowed origin url (a simple js fetch can be done).

The frontend to control allowed_origins is yet to be done depending on how accepted is this draft or if you think it's a bad and ugly way of achieving the filtering.

todo in this pr

  • [ ] Tests (unit, integration, api and/or acceptance) are included
  • [ ] Screenshots before/after for front-end changes
  • [ ] Documentation (manuals or wiki) has been updated or is not required

aleixq avatar Apr 23 '23 22:04 aleixq

Adding an application to be used as frontend to set the allowed origins, it's in separated repo at: https://github.com/Communia/cors_origin_filter_settings . I am marking this PR as it needs review right now although it needs to add and modify tests, let me know if it's better to set it back to DRAFT.

aleixq avatar Apr 28 '23 10:04 aleixq

Hi @aleixq is this PR WIP, as mentioned at body of descriptio?

If is WIP, I think that would be good convert to draft and change the label to 2. developing https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request

vitormattos avatar May 02 '23 14:05 vitormattos

Thank you for caring, vitor. Yes, the code could be reviewed and its main idea evaluated:

  • Adding a way to control the origins which can interoperate with nextcloud endpoints and how it's achieved: applying whitelists to all @cors annotated controller methods.

But there are parts not done yet:

  • Tests.
  • Documentation.
  • Also, as there will be more control over the origins, opening more endpoints could be proposed (like search endpoints, the activity api or everything that could be used by a 3rd party web) as it's already done in this pr with preview endpoint just to show how it could be done.

Just looking for feedback before continue the work on this. As I don't want to waste everyone's time with a lot of code if it's futile. Said this, if it's better to set back to draft until everything is done, no problem.

aleixq avatar May 02 '23 14:05 aleixq