grant/keysat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v0.2.0:13 — CORS on public endpoints

Browse Source 
Adds tower-http CorsLayer at the outermost router position so:

- Browsers can fetch /v1/products/<slug>/policies, /v1/openapi.json,
  /v1/issuer/public-key, /v1/validate from any origin. Unblocks the
  dynamic pricing page on docs.keysat.xyz reading live tier config
  from licensing.keysat.xyz.
- Preflight OPTIONS is handled by the CorsLayer directly, never
  reaches the session-bridge or any handler — so admin endpoints
  don't 401 on preflight.

Security posture unchanged. Access-Control-Allow-Credentials is OFF.
The combination of ACAO=* and no-credentials means a cross-origin
page can read public responses but can't ride a logged-in admin
session cookie to hit /v1/admin/*. Admin endpoints still require
an explicit Bearer token, which browsers don't auto-attach
cross-origin.

Tests: +2 CORS regression tests (cors_allows_cross_origin_on_public_
endpoints, cors_preflight_returns_2xx_without_auth). Full suite:
85 passing.
This commit is contained in:
Grant
2026-05-11 10:17:15 -05:00
parent 257669092b
commit 76fe7fe6b9
4 changed files with 100 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
licensing-service/src/api/mod.rs
+26 -2
View File
@@ -96,6 +96,7 @@ use serde_json::json;
use sqlx::SqlitePool;
use std::sync::Arc;
use tokio::sync::RwLock;
use tower_http::cors::{Any, CorsLayer};
#[derive(Clone)]
pub struct AppState {
@@ -483,12 +484,35 @@ pub fn router(state: AppState) -> Router {
.route("/admin/login/status", get(auth::login_status))
.route("/v1/admin/web-password", post(auth::set_password))
// Bridge cookie-based sessions onto the existing API-key require_admin
// guard. Has to be the last layer so it runs first (axum applies
// layers in reverse-of-declaration order).
// guard. Layers apply in reverse-of-declaration order, so this runs
// AFTER the CorsLayer below (i.e. session-bridge is "inside" CORS).
.layer(axum::middleware::from_fn_with_state(
state.clone(),
session_layer::session_to_bearer,
))
// CORS. Declared last so it's the OUTERMOST layer at runtime,
// which means:
// (a) Preflight OPTIONS requests get answered directly by the
// CorsLayer and never hit the session-bridge or any handler.
// Without this, OPTIONS to /v1/admin/* would 401 because
// browsers don't send credentials on preflights.
// (b) `allow_credentials` is NOT enabled. That's deliberate —
// `Access-Control-Allow-Origin: *` combined with credentials
// is rejected by browsers, AND keeping it off means a hostile
// cross-origin page can't piggy-back on a logged-in admin
// session cookie. Bearer-token auth on /v1/admin/* still
// works (the agent / SDK supplies the token explicitly).
//
// Net effect: public endpoints like /v1/products/:slug/policies,
// /v1/openapi.json, /v1/validate, /v1/issuer/public-key can be
// called from any origin (docs.keysat.xyz, keysat.xyz, third-
// party tools). Admin endpoints stay closed without a token.
.layer(
CorsLayer::new()
.allow_origin(Any)
.allow_methods(Any)
.allow_headers(Any),
)
.with_state(state)
}
licensing-service/tests/api.rs
+60
View File
@@ -3044,3 +3044,63 @@ async fn zaprite_connect_gated_by_pro_entitlement() {
assert!(body["upgrade_url"].as_str().expect("upgrade_url").contains("/buy/keysat"));
}
/// CORS — the public read-only endpoints answer cross-origin requests
/// from any browser origin so docs.keysat.xyz can fetch live pricing
/// from licensing.keysat.xyz without proxying. `allow_credentials` is
/// intentionally OFF: pages can read public responses but cannot ride
/// a logged-in admin session cookie to hit /v1/admin/*.
#[tokio::test]
async fn cors_allows_cross_origin_on_public_endpoints() {
let (state, _tmp) = make_test_state().await;
let req = build_request(
"GET",
"/v1/openapi.json",
&[("origin", "https://docs.keysat.xyz")],
None,
);
let resp = send(&state, req).await;
assert_eq!(resp.status(), StatusCode::OK);
let acao = resp
.headers()
.get("access-control-allow-origin")
.and_then(|v| v.to_str().ok())
.unwrap_or("");
assert_eq!(acao, "*", "public endpoints should set ACAO: *");
// Credentials must NOT be allowed — combining `*` origin with
// credentials is rejected by browsers, and disabling it means a
// hostile cross-origin page can't ride a session cookie.
let acac = resp.headers().get("access-control-allow-credentials");
assert!(acac.is_none(), "credentials must not be allowed");
}
/// CORS preflight (OPTIONS) is handled by the CorsLayer directly and
/// never reaches the session-bridge or any handler. This is the path
/// browsers take before issuing an actual cross-origin POST.
#[tokio::test]
async fn cors_preflight_returns_2xx_without_auth() {
let (state, _tmp) = make_test_state().await;
let req = build_request(
"OPTIONS",
"/v1/admin/products",
&[
("origin", "https://example.com"),
("access-control-request-method", "POST"),
("access-control-request-headers", "authorization,content-type"),
],
None,
);
let resp = send(&state, req).await;
// CorsLayer answers preflight with 200 (or 204). No auth required.
assert!(
resp.status().is_success() || resp.status() == StatusCode::NO_CONTENT,
"preflight should be 2xx, got {}",
resp.status()
);
let acao = resp
.headers()
.get("access-control-allow-origin")
.and_then(|v| v.to_str().ok())
.unwrap_or("");
assert_eq!(acao, "*");
}
licensing-service/web/index.html
+1 -1
View File
@@ -1254,7 +1254,7 @@ hr.div { border:none; border-top:1px solid var(--border-1); margin:18px 0; }
style: 'display:inline-flex; align-items:center; gap:8px; font-size:13.5px; color:var(--ink-700); cursor:pointer; line-height:1.5'
}, [
checkbox,
el('span', null, 'Send an anonymous daily heartbeat to help size the Keysat self-host community.'),
el('span', null, 'Opt-in to send anonymous usage stats so Keysat can improve service and performance'),
])
const inlineRow = el('div', {