Do you want to request a feature or report a bug?
Bug
What is the current behavior?
When using wildcards in CORS_ALLOWED_ORIGINS environment variable, hydra does not respect them.
When specifying domains exactly, hydra respects the CORS request.
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
Launch hydra with CORS for *.domain.com:
docker run -it --rm \
-e CORS_ENABLED=true \
-e "CORS_ALLOWED_ORIGINS=http://*.domain.com" \
-e DATABASE_URL=memory \
-p 4444:4444 \
oryd/hydra:v1.0.0-beta.9 serve all --dangerous-force-http
Attempt a CORS request:
curl \
--request POST \
--header "Origin: http://test.domain.com" \
--dump-header - \
--output /dev/null \
--silent \
http://localhost:4444/oauth2/token
Notice the lack of CORS headers.
Now, attempt another CORS request this time from http://*.domain.test:
curl \
--request POST \
--header "Origin: http://*.domain.com" \
--dump-header - \
--output /dev/null \
--silent \
http://localhost:4444/oauth2/token
Theres a header for Access-Control-Allow-Origin: http://*.domain.com! Looks like the wildcard is being treated as an actual character.
What is the expected behavior?
Hydra should send Access-Control-Allow-Origin: http://test.domain.com as a header.
Which version of the software is affected?
docker run -it --rm oryd/hydra:v1.0.0-beta.9 version
Version: v1.0.0-beta.9
Git Hash: f359d0809badec1219d4678afe54ae628b0bdf70
Build Time: 2018-09-01T13:29:35Z
Yeah, wildcards are currently interpreted as literals, see also: https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
It's useful nonetheless, tagging as feature request.
Ah ok then, it might be helpful to update the help message for CORS_ALLOWED_ORIGINS. It might be a bit misleading until this is implemented:
- CORS_ALLOWED_ORIGINS: A list of origins (comma separated values) a cross-domain request can be executed from.
If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality.
Only one wildcard can be used per origin. The default value is *.
Example: CORS_ALLOWED_ORIGINS=http://*.domain.com,http://*.domain2.com
You're right, in fact this is a bug. rs/cors (the library we use for cors) should support this: https://github.com/rs/cors#parameters
Not sure what's going on.
Most helpful comment
You're right, in fact this is a bug.
rs/cors(the library we use for cors) should support this: https://github.com/rs/cors#parametersNot sure what's going on.