fix: [FUN-983] Set CORS headers consistently for SDK & API cases (#614)

* Apply cors for API via normal middleware

* Used canned gorilla cors handler

* Include options in routes

* Apply CORS for /dev routes

* remove extraneous CORS tests

handler was removed for gorilla built in

Author: Mike Zorn

internal/dev_server/api/api.yaml

@@ -7,9 +7,9 @@ info:
     those flags.
   version: 1.0.0
 servers:
-  - url: "http"
+  - url: "http://localhost:8765/dev"
 paths:
-  /dev/backup:
+  /backup:
     get:
       summary: get the backup
       operationId: getBackup
@@ -28,7 +28,7 @@ paths:
       responses:
         200:
           description: 'Backup restored'
-  /dev/projects:
+  /projects:
     get:
       summary: lists all projects that have been configured for the dev server
       operationId: getProjects
@@ -43,7 +43,7 @@ paths:
                 items:
                   type: string
                 uniqueItems: true
-  /dev/projects/{projectKey}:
+  /projects/{projectKey}:
     get:
       summary: get the specified project and its configuration for syncing from the LaunchDarkly Service
       operationId: getProject
@@ -113,7 +113,7 @@ paths:
           $ref: "#/components/responses/ErrorResponse"
         409:
           $ref: "#/components/responses/ErrorResponse"
-  /dev/projects/{projectKey}/overrides:
+  /projects/{projectKey}/overrides:
     delete:
       summary: remove all overrides for the given project
       operationId: deleteOverrides
@@ -124,7 +124,7 @@ paths:
           description: OK. All overrides were removed
         404:
           $ref: "#/components/responses/ErrorResponse"        
-  /dev/projects/{projectKey}/overrides/{flagKey}:
+  /projects/{projectKey}/overrides/{flagKey}:
     put:
       summary: override flag value with value provided in the body
       operationId: putOverrideFlag
@@ -155,7 +155,7 @@ paths:
           description: OK. override removed
         404:
           description: no matching override found
-  /dev/projects/{projectKey}/environments:
+  /projects/{projectKey}/environments:
     get:
       operationId: getEnvironments
       summary: list all environments for the given project

internal/dev_server/api/cors.go

@@ -59,17 +59,32 @@ func (c LDClient) RunServer(ctx context.Context, serverParams ServerParams) {
 		ResponseErrorHandlerFunc: api.ResponseErrorHandler,
 	})
 	r := mux.NewRouter()
+	r.Use(handlers.RecoveryHandler(handlers.PrintRecoveryStack(true)))
 	r.Use(adapters.Middleware(*ldClient, serverParams.DevStreamURI))
 	r.Use(model.StoreMiddleware(sqlStore))
 	r.Use(model.ObserversMiddleware(observers))
 	r.Handle("/", http.RedirectHandler("/ui/", http.StatusFound))
 	r.Handle("/ui", http.RedirectHandler("/ui/", http.StatusMovedPermanently))
 	r.PathPrefix("/ui/").Handler(http.StripPrefix("/ui/", ui.AssetHandler))
+
 	sdk.BindRoutes(r)
-	handler := api.HandlerFromMux(apiServer, r)
-	handler = api.CorsHeadersWithConfig(serverParams.CorsEnabled, serverParams.CorsOrigin)(handler)
-	handler = handlers.CombinedLoggingHandler(os.Stdout, handler)
-	handler = handlers.RecoveryHandler(handlers.PrintRecoveryStack(true))(handler)
+
+	apiRouter := r.PathPrefix("/dev").Subrouter()
+	if serverParams.CorsEnabled {
+		apiRouter.Use(handlers.CORS(
+			handlers.AllowedOrigins([]string{serverParams.CorsOrigin}),
+			handlers.AllowedHeaders([]string{"Content-Type", "Content-Length", "Accept-Encoding", "X-Requested-With"}),
+			handlers.ExposedHeaders([]string{"Date", "Content-Length"}),
+			handlers.AllowedMethods([]string{"GET", "POST", "PUT", "PATCH", "DELETE"}),
+			handlers.MaxAge(300),
+		))
+		apiRouter.PathPrefix("/").Methods(http.MethodOptions).HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// request should have been handled in the CORS middleware
+			// This route is needed so that gorilla will not 404 for options requests
+			panic("options handler running. This indicates a misconfiguration of routes")
+		})
+	}
+	api.HandlerFromMux(apiServer, apiRouter) // this method actually mutates the passed router.
 
 	ctx = adapters.WithApiAndSdk(ctx, *ldClient, serverParams.DevStreamURI)
 	ctx = model.SetObserversOnContext(ctx, observers)
@@ -78,6 +93,7 @@ func (c LDClient) RunServer(ctx context.Context, serverParams ServerParams) {
 	if syncErr != nil {
 		log.Fatal(syncErr)
 	}
+	handler := handlers.CombinedLoggingHandler(os.Stdout, r)
 
 	addr := fmt.Sprintf("0.0.0.0:%s", serverParams.Port)
 	log.Printf("Server running on %s", addr)

internal/dev_server/api/cors_test.go

@@ -1,27 +1,23 @@
 package sdk
 
-import "net/http"
+import (
+	"github.com/gorilla/handlers"
+)
 
-func CorsHeaders(handler http.Handler) http.Handler {
-	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
-		writer.Header().Set("Access-Control-Allow-Origin", "*")
-		writer.Header().Set("Access-Control-Allow-Methods", "GET,OPTIONS")
-		writer.Header().Set("Access-Control-Allow-Credentials", "true")
-		writer.Header().Set("Access-Control-Allow-Headers", "Cache-Control,Content-Type,Content-Length,Accept-Encoding,X-LaunchDarkly-User-Agent,X-LaunchDarkly-Payload-ID,X-LaunchDarkly-Wrapper,X-LaunchDarkly-Event-Schema,X-LaunchDarkly-Tags")
-		writer.Header().Set("Access-Control-Expose-Headers", "Date")
-		writer.Header().Set("Access-Control-Max-Age", "300")
-		handler.ServeHTTP(writer, request)
-	})
-}
+var CorsHeaders = handlers.CORS(
+	handlers.AllowedOrigins([]string{"*"}),
+	handlers.AllowedMethods([]string{"GET"}),
+	handlers.AllowCredentials(),
+	handlers.ExposedHeaders([]string{"Date"}),
+	handlers.AllowedHeaders([]string{"Cache-Control", "Content-Type", "Content-Length", "Accept-Encoding", "X-LaunchDarkly-Event-Schema", "X-LaunchDarkly-User-Agent", "X-LaunchDarkly-Payload-ID", "X-LaunchDarkly-Wrapper", "X-LaunchDarkly-Tags"}),
+	handlers.MaxAge(300),
+)
 
-func EventsCorsHeaders(handler http.Handler) http.Handler {
-	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
-		writer.Header().Set("Access-Control-Allow-Origin", "*")
-		writer.Header().Set("Access-Control-Allow-Methods", "POST,OPTIONS")
-		writer.Header().Set("Access-Control-Allow-Credentials", "true")
-		writer.Header().Set("Access-Control-Allow-Headers", "Accept,Content-Type,Content-Length,Accept-Encoding,X-LaunchDarkly-Event-Schema,X-LaunchDarkly-User-Agent,X-LaunchDarkly-Payload-ID,X-LaunchDarkly-Wrapper,X-LaunchDarkly-Tags")
-		writer.Header().Set("Access-Control-Expose-Headers", "Date")
-		writer.Header().Set("Access-Control-Max-Age", "300")
-		handler.ServeHTTP(writer, request)
-	})
-}
+var EventsCorsHeaders = handlers.CORS(
+	handlers.AllowedOrigins([]string{"*"}),
+	handlers.AllowedMethods([]string{"POST"}),
+	handlers.AllowCredentials(),
+	handlers.AllowedHeaders([]string{"Accept", "Content-Type", "Content-Length", "Accept-Encoding", "X-LaunchDarkly-Event-Schema", "X-LaunchDarkly-User-Agent", "X-LaunchDarkly-Payload-ID", "X-LaunchDarkly-Wrapper", "X-LaunchDarkly-Tags"}),
+	handlers.ExposedHeaders([]string{"Date"}),
+	handlers.MaxAge(300),
+)