From f0740218997f84b0cf2256a69984dc91a9ebfaf5 Mon Sep 17 00:00:00 2001
From: Simon Mayer <simon.mayer@onb.ac.at>
Date: Mon, 26 Sep 2022 11:32:34 +0200
Subject: [PATCH] Add module for allowing requests from Labs domain

---
 app/controllers/application_controller.rb |  1 +
 config/environments/development.rb        |  2 --
 config/initializers/cors.rb               | 16 ++++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 config/initializers/cors.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 3863792..6b85949 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,5 +1,6 @@
 class ApplicationController < ActionController::Base
   include Authentication
+  include AddProxyRequestOrigin
 
   def send_file
     File.open("tmp/#{params[:filename]}", "r") do |f|
diff --git a/config/environments/development.rb b/config/environments/development.rb
index e3191fb..4455074 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -76,6 +76,4 @@ Rails.application.configure do
   # Allow Action Cable access from any origin.
   config.action_cable.url = ENV['NEP_CABLE_URL'] || 'http://127.0.0.1:3000/cable'
   config.action_cable.allowed_request_origins = [ENV['NEP_LABS_DOMAIN'], 'http://127.0.0.1:8001']
-  # Allow XHR/Ajax requests from different origin
-  config.action_controller.forgery_protection_origin_check = false
 end
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
new file mode 100644
index 0000000..f8e7d39
--- /dev/null
+++ b/config/initializers/cors.rb
@@ -0,0 +1,16 @@
+# Allow requests from Labs domain
+module AddProxyRequestOrigin
+  extend ActionController::RequestForgeryProtection
+
+  allowed_request_origins = [ENV['NEP_LABS_DOMAIN'], 'http://127.0.0.1:8001']
+
+  def valid_request_origin? # :doc:
+    if forgery_protection_origin_check
+      # We accept blank origin headers because some user agents don't send it.
+      raise InvalidAuthenticityToken, NULL_ORIGIN_MESSAGE if request.origin == "null"
+      request.origin.nil? || request.origin == request.base_url || request.origin in allowed_request_origins
+    else
+      true
+    end
+  end
+end
-- 
GitLab