Skip to content

Commit

Permalink
reenable CORS for IRMA (#3574)
Browse files Browse the repository at this point in the history
test fix
  • Loading branch information
woutslakhorst authored Nov 20, 2024
1 parent e665ca6 commit cd95f10
Show file tree
Hide file tree
Showing 11 changed files with 41 additions and 3 deletions.
1 change: 1 addition & 0 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,7 @@ If your use case does not use these features, you can ignore this table.
auth.contractvalidators [irma,dummy,employeeid] sets the different contract validators to use
auth.irma.autoupdateschemas true set if you want automatically update the IRMA schemas every 60 minutes.
auth.irma.schememanager pbdf IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'.
auth.irma.cors.origin [] sets the allowed CORS origins for the IRMA server
**Events**
events.nats.hostname 0.0.0.0 Hostname for the NATS server
events.nats.port 4222 Port where the NATS server listens on
Expand Down
1 change: 1 addition & 0 deletions auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,7 @@ func (auth *Auth) Configure(config core.ServerConfig) error {
ContractValidators: auth.config.ContractValidators,
ContractValidity: contractValidity,
StrictMode: config.Strictmode,
CORSOrigin: auth.config.Irma.CORS.Origin,
}, auth.vcr, resolver.DIDKeyResolver{Resolver: auth.vdrInstance.Resolver()}, auth.keyStore, auth.jsonldManager, auth.pkiProvider)

auth.tlsConfig, err = auth.pkiProvider.CreateTLSConfig(config.TLS) // returns nil if TLS is disabled
Expand Down
4 changes: 4 additions & 0 deletions auth/cmd/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ const ConfAutoUpdateIrmaSchemas = "auth.irma.autoupdateschemas"
// ConfIrmaSchemeManager allows selecting an IRMA scheme manager. During development this can ben irma-demo. Production should be pdfb
const ConfIrmaSchemeManager = "auth.irma.schememanager"

// ConfIrmaCorsOrigin is the config key for the allowed CORS origins for the IRMA server
const ConfIrmaCorsOrigin = "auth.irma.cors.origin"

// ConfHTTPTimeout defines a timeout (in seconds) which is used by the Auth API HTTP client
const ConfHTTPTimeout = "auth.http.timeout"

Expand All @@ -51,6 +54,7 @@ func FlagSet() *pflag.FlagSet {
defs := auth.DefaultConfig()
flags.String(ConfIrmaSchemeManager, defs.Irma.SchemeManager, "IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'.")
flags.Bool(ConfAutoUpdateIrmaSchemas, defs.Irma.AutoUpdateSchemas, "set if you want automatically update the IRMA schemas every 60 minutes.")
flags.StringSlice(ConfIrmaCorsOrigin, defs.Irma.CORS.Origin, "sets the allowed CORS origins for the IRMA server")
flags.Int(ConfHTTPTimeout, defs.HTTPTimeout, "HTTP timeout (in seconds) used by the Auth API HTTP client")
flags.Int(ConfClockSkew, defs.ClockSkew, "allowed JWT Clock skew in milliseconds")
flags.Int(ConfAccessTokenLifeSpan, defs.AccessTokenLifeSpan, "defines how long (in seconds) an access token is valid. Uses default in strict mode.")
Expand Down
1 change: 1 addition & 0 deletions auth/cmd/cmd_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ func TestFlagSet(t *testing.T) {
ConfContractValidators,
ConfHTTPTimeout,
ConfAutoUpdateIrmaSchemas,
ConfIrmaCorsOrigin,
ConfIrmaSchemeManager,
}, keys)
}
Expand Down
11 changes: 9 additions & 2 deletions auth/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,15 @@ type AuthorizationEndpointConfig struct {
}

type IrmaConfig struct {
SchemeManager string `koanf:"schememanager"`
AutoUpdateSchemas bool `koanf:"autoupdateschemas"`
SchemeManager string `koanf:"schememanager"`
AutoUpdateSchemas bool `koanf:"autoupdateschemas"`
CORS CORSConfig `koanf:"cors"`
}

// CORSConfig contains configuration for Cross Origin Resource Sharing.
type CORSConfig struct {
// Origin specifies the AllowOrigin option. If no origins are given CORS is considered to be disabled.
Origin []string `koanf:"origin"`
}

// DefaultConfig returns an instance of Config with the default values.
Expand Down
3 changes: 3 additions & 0 deletions auth/services/irma/factory.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ type Config struct {
// Use the IRMA server in production mode. Without this the IRMA app needs to be in "developer mode"
// https://irma.app/docs/irma-app/#developer-mode
Production bool
// CORS configuration
CORSOrigin []string
}

// NewSignerAndVerifier creates a new IRMA signer and verifier.
Expand All @@ -64,6 +66,7 @@ func NewSignerAndVerifier(cfg Config) (*Signer, *Verifier, error) {
return &Signer{
sessionHandler: irmaServer,
schemeManager: cfg.IrmaSchemeManager,
cors: cfg.CORSOrigin,
}, &Verifier{
IrmaConfig: irmaConfig,
Templates: contract.StandardContractTemplates,
Expand Down
2 changes: 2 additions & 0 deletions auth/services/irma/factory_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,10 @@ func TestNewSignerAndVerifier(t *testing.T) {
IrmaSchemeManager: "empty",
AutoUpdateIrmaSchemas: false,
Production: false,
CORSOrigin: []string{"*"},
})
require.NoError(t, err)
assert.NotNil(t, signer)
assert.NotNil(t, verifier)
assert.Equal(t, []string{"*"}, signer.cors)
}
16 changes: 16 additions & 0 deletions auth/services/irma/signer.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"encoding/json"
"fmt"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
"github.com/nuts-foundation/nuts-node/core"
"github.com/sirupsen/logrus"
"net/http"
Expand All @@ -46,6 +47,7 @@ import (
type Signer struct {
sessionHandler signingSessionHandler
schemeManager string
cors []string
}

// SessionPtr should be made private when v0 is removed
Expand Down Expand Up @@ -132,6 +134,20 @@ func (v Signer) Routes(router core.EchoRouter) {
for _, method := range methods {
router.Add(method, IrmaMountPath+"/*", irmaEchoHandler)
}
skipper := func(c echo.Context) bool {
return !strings.HasPrefix(c.Path(), IrmaMountPath)
}

// enable CORS for the IRMA endpoints
if len(v.cors) > 0 {
// print warning if CORS is enabled for all origins
for _, origin := range v.cors {
if strings.TrimSpace(origin) == "*" {
log.Logger().Warnf("Enabling wildcard CORS for IRMA/Yivi endpoints is not recommended")
}
}
router.Use(middleware.CORSWithConfig(middleware.CORSConfig{AllowOrigins: v.cors, Skipper: skipper}))
}
}

// SigningSessionStatus returns the current status of a certain session.
Expand Down
2 changes: 2 additions & 0 deletions auth/services/notary/notary.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ type Config struct {
IrmaSchemeManager string
ContractValidators []string
ContractValidity time.Duration
CORSOrigin []string
}

func (c Config) hasContractValidator(cv string) bool {
Expand Down Expand Up @@ -164,6 +165,7 @@ func (n *notary) Configure() error {
AutoUpdateIrmaSchemas: n.config.AutoUpdateIrmaSchemas,
// Deduce IRMA production mode from the nuts strict-mode
Production: n.config.StrictMode,
CORSOrigin: n.config.CORSOrigin,
}
signer, verifier, err := irma.NewSignerAndVerifier(cfg)
if err != nil {
Expand Down
1 change: 1 addition & 0 deletions docs/pages/deployment/server_options_didnuts.rst
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
auth.contractvalidators [irma,dummy,employeeid] sets the different contract validators to use
auth.irma.autoupdateschemas true set if you want automatically update the IRMA schemas every 60 minutes.
auth.irma.schememanager pbdf IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'.
auth.irma.cors.origin [] sets the allowed CORS origins for the IRMA server
**Events**
events.nats.hostname 0.0.0.0 Hostname for the NATS server
events.nats.port 4222 Port where the NATS server listens on
Expand Down
2 changes: 1 addition & 1 deletion docs/pages/release_notes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ The HTTP interface has been reworked to make deployments simpler and more secure
- No more dynamic binding of endpoints to ports, endpoints are now bound to the internal interface (``8081``) or the public interface (``8080``).
- Server-side TLS for HTTP has been dropped, since the Nuts node is always expected to be deployed behind a reverse proxy/ingress that handles TLS termination.
- API authentication is now only applied to ``/internal`` endpoints, since those are the only API endpoints that should be protected with authentication.
- CORS support has been removed. As it is only required by user authentication endpoints that are considered to be deprecated, CORS headers can be set by a reverse proxy if still required.
- CORS configuration for IRMA/Yivi has been moved to the `auth.irma.cors.origin` config parameter.

Port configuration
------------------
Expand Down

0 comments on commit cd95f10

Please sign in to comment.