fix(activitypub): allow cors on get requests for routes exposing acitivitypub objects

2022-02-05 10:57:02 +00:00 · 2022-02-05 10:57:02 +00:00 · 2f2480998f
parent 412cf14604
commit 2f2480998f
6 changed files with 74 additions and 20 deletions
--- a/app/Config/Filters.php
+++ b/app/Config/Filters.php
@ -11,6 +11,7 @@ use CodeIgniter\Filters\Honeypot;
 use CodeIgniter\Filters\InvalidChars;
 use CodeIgniter\Filters\SecureHeaders;
 use Modules\Auth\Filters\PermissionFilter;
+use Modules\Fediverse\Filters\AllowCorsFilter;
 use Modules\Fediverse\Filters\FediverseFilter;
 use Myth\Auth\Filters\LoginFilter;
 use Myth\Auth\Filters\RoleFilter;
@ -31,7 +32,8 @@ class Filters extends BaseConfig
        'login' => LoginFilter::class,
        'role' => RoleFilter::class,
        'permission' => PermissionFilter::class,
-        'activity-pub' => FediverseFilter::class,
+        'fediverse' => FediverseFilter::class,
+        'allow-cors' => AllowCorsFilter::class,
    ];

    /**
--- a/app/Config/Routes.php
+++ b/app/Config/Routes.php
@ -90,6 +90,7 @@ $routes->group('@(:podcastHandle)', function ($routes): void {
                'controller-method' => 'ActorController/$1',
            ],
        ],
+        'filter' => 'allow-cors',
    ]);
    $routes->get('about', 'PodcastController::about/$1', [
        'as' => 'podcast-about',
@ -108,6 +109,7 @@ $routes->group('@(:podcastHandle)', function ($routes): void {
                'controller-method' => 'PodcastController::episodeCollection/$1',
            ],
        ],
+        'filter' => 'allow-cors',
    ]);
    $routes->group('episodes/(:slug)', function ($routes): void {
        $routes->options('/', 'ActivityPubController::preflight');
@ -124,6 +126,7 @@ $routes->group('@(:podcastHandle)', function ($routes): void {
                    'controller-method' => 'EpisodeController::episodeObject/$1/$2',
                ],
            ],
+            'filter' => 'allow-cors',
        ]);
        $routes->get('activity', 'EpisodeController::activity/$1/$2', [
            'as' => 'episode-activity',
@ -140,7 +143,9 @@ $routes->group('@(:podcastHandle)', function ($routes): void {
            'application/ld+json; profile="https://www.w3.org/ns/activitystreams' => [
                'controller-method' => 'EpisodeController::comments/$1/$2',
            ],
+            'filter' => 'allow-cors',
        ]);
+        $routes->options('comments/(:uuid)', 'ActivityPubController::preflight');
        $routes->get('comments/(:uuid)', 'EpisodeCommentController::view/$1/$2/$3', [
            'as' => 'episode-comment',
            'application/activity+json' => [
@ -152,6 +157,7 @@ $routes->group('@(:podcastHandle)', function ($routes): void {
            'application/ld+json; profile="https://www.w3.org/ns/activitystreams' => [
                'controller-method' => 'EpisodeController::commentObject/$1/$2',
            ],
+            'filter' => 'allow-cors',
        ]);
        $routes->get('comments/(:uuid)/replies', 'EpisodeCommentController::replies/$1/$2/$3', [
            'as' => 'episode-comment-replies',
@ -221,6 +227,7 @@ $routes->group('@(:podcastHandle)', function ($routes): void {
                    'controller-method' => 'PostController/$2',
                ],
            ],
+            'filter' => 'allow-cors',
        ]);
        $routes->options('replies', 'ActivityPubController::preflight');
        $routes->get('replies', 'PostController/$1/$2', [
@ -235,6 +242,7 @@ $routes->group('@(:podcastHandle)', function ($routes): void {
                    'controller-method' => 'PostController::replies/$2',
                ],
            ],
+            'filter' => 'allow-cors',
        ]);

        // Actions
@ -278,7 +286,7 @@ $routes->group('@(:podcastHandle)', function ($routes): void {
    ]);
    $routes->get('outbox', 'ActorController::outbox/$1', [
        'as' => 'outbox',
-        'filter' => 'activity-pub:verify-activitystream',
+        'filter' => 'fediverse:verify-activitystream',
    ]);
 });

--- a/app/Controllers/ActivityPubController.php
+++ b/app/Controllers/ActivityPubController.php
@ -10,21 +10,8 @@ declare(strict_types=1);

 namespace App\Controllers;

-use CodeIgniter\Controller;
-use CodeIgniter\HTTP\Response;
+use Modules\Fediverse\Controllers\ActivityPubController as FediverseActivityPubController;

-class ActivityPubController extends Controller
+class ActivityPubController extends FediverseActivityPubController
 {
-    /**
-     * @noRector ReturnTypeDeclarationRector
-     */
-    public function preflight(): Response
-    {
-        return $this->response->setHeader('Access-Control-Allow-Origin', '*') // for allowing any domain, insecure
-            ->setHeader('Access-Control-Allow-Headers', '*') // for allowing any headers, insecure
-            ->setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS') // allows GET and OPTIONS methods only
-            ->setHeader('Access-Control-Max-Age', '86400')
-            ->setHeader('Cache-Control', 'public, max-age=86400')
-            ->setStatusCode(200);
-    }
 }
--- a/modules/Fediverse/Config/Routes.php
+++ b/modules/Fediverse/Config/Routes.php
@ -43,15 +43,15 @@ $routes->group('', [
        $routes->post('inbox', 'ActorController::inbox/$1', [
            'as' => 'inbox',
            'filter' =>
-                'activity-pub:verify-activitystream,verify-blocks,verify-signature',
+                'fediverse:verify-activitystream,verify-blocks,verify-signature',
        ]);
        $routes->get('outbox', 'ActorController::outbox/$1', [
            'as' => 'outbox',
-            'filter' => 'activity-pub:verify-activitystream',
+            'filter' => 'fediverse:verify-activitystream',
        ]);
        $routes->get('followers', 'ActorController::followers/$1', [
            'as' => 'followers',
-            'filter' => 'activity-pub::activity-stream',
+            'filter' => 'fediverse::activity-stream',
        ]);
        $routes->post('follow', 'ActorController::attemptFollow/$1', [
            'as' => 'attempt-follow',
--- a/modules/Fediverse/Controllers/ActivityPubController.php
+++ b/modules/Fediverse/Controllers/ActivityPubController.php
@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright  2021 Podlibre
+ * @license    https://www.gnu.org/licenses/agpl-3.0.en.html AGPL3
+ * @link       https://castopod.org/
+ */
+
+namespace Modules\Fediverse\Controllers;
+
+use CodeIgniter\Controller;
+use CodeIgniter\HTTP\Response;
+
+class ActivityPubController extends Controller
+{
+    /**
+     * @noRector ReturnTypeDeclarationRector
+     */
+    public function preflight(): Response
+    {
+        return $this->response->setHeader('Access-Control-Allow-Origin', '*') // for allowing any domain, insecure
+            ->setHeader('Access-Control-Allow-Headers', '*') // for allowing any headers, insecure
+            ->setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS') // allows GET and OPTIONS methods only
+            ->setHeader('Access-Control-Max-Age', '86400')
+            ->setHeader('Cache-Control', 'public, max-age=86400')
+            ->setStatusCode(200);
+    }
+}
--- a/modules/Fediverse/Filters/AllowCorsFilter.php
+++ b/modules/Fediverse/Filters/AllowCorsFilter.php
@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Modules\Fediverse\Filters;
+
+use CodeIgniter\Filters\FilterInterface;
+use CodeIgniter\HTTP\RequestInterface;
+use CodeIgniter\HTTP\ResponseInterface;
+
+class AllowCorsFilter implements FilterInterface
+{
+    public function before(RequestInterface $request, $arguments = null): void
+    {
+        // Do something here
+    }
+
+    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null): void
+    {
+        $response->setHeader('Access-Control-Allow-Origin', '*') // for allowing any domain, insecure
+            ->setHeader('Access-Control-Allow-Headers', '*') // for allowing any headers, insecure
+            ->setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS') // allows GET and OPTIONS methods only
+            ->setHeader('Access-Control-Max-Age', '86400')
+            ->setHeader('Cache-Control', 'public, max-age=86400')
+            ->setStatusCode(200);
+    }
+}