From 2b9fc83408fd410e344e843d54d8cd0bb48edb65 Mon Sep 17 00:00:00 2001
From: Justin Coyne <jcoyne@justincoyne.com>
Date: Wed, 20 Dec 2023 14:51:22 -0600
Subject: [PATCH] Set Access-Control-Allow-Origin to sul-embed if it's the
 embed server

---
 app/controllers/application_controller.rb   | 13 +++++++++---
 app/controllers/media_controller.rb         | 17 ---------------
 spec/requests/media_headers_request_spec.rb | 23 ++++++++++-----------
 3 files changed, 21 insertions(+), 32 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f7f7a856..2dbcd5a3 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -8,14 +8,21 @@ class ApplicationController < ActionController::Base
   rescue_from Purl::Exception do
     head :not_found
   end
-  before_action :set_origin_header
+  before_action :set_cors_headers
 
   protect_from_forgery with: :null_session
 
   private
 
-  def set_origin_header
-    response.headers['Access-Control-Allow-Origin'] = '*'
+  def set_cors_headers
+    origin = request.origin
+    permitted_origins = [Settings.cors.allow_origin_url]
+    if permitted_origins.include?(origin)
+      response.headers['Access-Control-Allow-Origin'] = origin
+      response.headers['Access-Control-Allow-Credentials'] = true
+    else
+      response.headers['Access-Control-Allow-Origin'] = '*'
+    end
   end
 
   def rescue_can_can(exception)
diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index f21e8c46..2d83132b 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -6,7 +6,6 @@ class MediaController < ApplicationController
   skip_forgery_protection
 
   before_action :load_media
-  before_action :set_cors_headers, only: [:auth_check]
 
   rescue_from ActionController::MissingFile do
     render plain: 'File not found', status: :not_found
@@ -32,22 +31,6 @@ def auth_check
 
   private
 
-  # TODO: We already globally allow any origin, see
-  # https://github.com/sul-dlss/stacks/blob/main/app/controllers/application_controller.rb#L11-L19
-  # So this method, the `before_action` and the `Settings.cors.allow_origin_url` setting may not
-  # be needed.  We may just need to add the `['Access-Control-Allow-Credentials']` header into
-  # the existing application controller method.
-  #
-  # In order for media authentication to work, the wowza server must have
-  # Access-Control-Allow-Credentials header set (which is set by default when CORS is enabled in wowza),
-  # which means that Access-Control-Allow-Origin cannot be set to * (wowza default) and instead
-  # needs to specify a host (e.g. the embed server of choice, presumably used in purl with
-  # particular stacks). This means that only the specified host will be granted credentialed requests.
-  def set_cors_headers
-    response.headers['Access-Control-Allow-Origin'] = Settings.cors.allow_origin_url
-    response.headers['Access-Control-Allow-Credentials'] = 'true'
-  end
-
   def allowed_params
     params.permit(:action, :callback, :id, :file_name, :format, :stacks_token, :user_ip)
   end
diff --git a/spec/requests/media_headers_request_spec.rb b/spec/requests/media_headers_request_spec.rb
index b347fd68..b3b09c48 100644
--- a/spec/requests/media_headers_request_spec.rb
+++ b/spec/requests/media_headers_request_spec.rb
@@ -2,13 +2,6 @@
 
 require 'rails_helper'
 
-def verify_cors_headers(allow_origin, allow_credentials)
-  (allow_origin == Settings.cors.allow_origin_url) && (allow_credentials == 'true')
-end
-
-def verify_origin_header(allow_origin)
-  (allow_origin == '*')
-end
 
 RSpec.describe "CORS headers for Media requests", type: :request do
   before do
@@ -46,17 +39,23 @@ def verify_origin_header(allow_origin)
     let(:token) { StacksMediaToken.new(druid, filename, ip_address) }
     let(:encrypted_token) { token.to_encrypted_string }
 
-    it 'sets the Access-Control-Allow-Origin header correctly' do
+    before do
       get "/media/#{druid}/#{filename}/verify_token", params: { stacks_token: encrypted_token, user_ip: ip_address }
-      expect(verify_origin_header(response.headers['Access-Control-Allow-Origin'])).to be_truthy
+    end
+
+    it 'sets the Access-Control-Allow-Origin header correctly' do
+      expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
     end
   end
 
   describe "#auth_check" do
+    before do
+      get "/media/#{druid}/#{filename}/auth_check", params: { format: :js }, headers: { 'Origin' => Settings.cors.allow_origin_url }
+    end
+
     it 'sets the correct CORS headers' do
-      get "/media/#{druid}/#{filename}/auth_check", params: { format: :js }
-      expect(verify_cors_headers(response.headers['Access-Control-Allow-Origin'],
-                                 response.headers['Access-Control-Allow-Credentials'])).to be_truthy
+      expect(response.headers['Access-Control-Allow-Origin']).to eq Settings.cors.allow_origin_url
+      expect(response.headers['Access-Control-Allow-Credentials']).to be true
     end
   end
 end