Cors_plug config for making some of the endpoints public

benonymus · October 11, 2019, 7:00am

Hey there,

I am using cors_plug with a whitelist in my endpoint file, but i would like ot make a subset of endpoints publicly available based on url.
is this possible?

I know that this is not possible, but on idea level this is what I am looking for:

  if x do
    plug(CORSPlug, origin: "hehexd.com")
  else
    plug(CORSPlug, origin: "*")
  end

I tried to move it to the router and have different pipelines, but then i would need to add options request type to all of my non get requests and that is not something i’d like to do

Any ideas?

LostKobrakai · October 11, 2019, 7:48am

Make a plug, which checks the request route and only for certain ones applies the cors plug. Mount that one in the endpoint.

benonymus · October 11, 2019, 7:50am

and how do i apply the cors plug?

LostKobrakai · October 11, 2019, 7:51am

MyPlug.call(conn, opts)

benonymus · October 11, 2019, 7:52am

yeah, but i mean inside this plug how do i “call” the cors plug?

LostKobrakai · October 11, 2019, 7:54am

Within your plug‘s code you can call the cors plug like I wrote above.

def call(conn, opts) do
  if x do
    CorsPlug.call(conn, opts)
  else
    conn
  end
end

benonymus · October 11, 2019, 8:31am

thanks, now just need to figure how to pass the relevant whitelist or the “*”, because i need it in the else path

seems to me that this approach doesn’t want to work with CORSPlug

kelvinst · October 11, 2019, 9:11am

You could also use pipelines for it in your router, something like:

pipeline :internal do
  plug CORSPlug, origin: "hehexd.com"
end

scope "/" do
  pipe_through [:internal]
  # your internal routes
end

scope "/" do
  # your public routes
end

But if you still need to whitelist cross site requests on public routes, well, then they are not public, and for sure a * pattern would not whitelist anything, since (if that worked) it would match any domain.

benonymus · October 11, 2019, 9:22am

if i do this since the cors plug would be in the router I’d need to add options routes to the endpoints where that is applicable

LostKobrakai · October 11, 2019, 9:36am

Pipeline plugs are only applied when a route of the router was matched. To handle OPTIONS requests, which are not present in the router, a CORS plug needs to be placed before the router.

You could call the plug with different options in the else case. You might need to look into what init/1 does for your cors plug. Sometimes it changes the format for options, which are later passed to call/2.

benonymus · October 11, 2019, 10:31am

yes, in my init i need to call the plugs init