001/* 002 * Copyright 2022-2025 Revetware LLC. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package com.soklet; 018 019import javax.annotation.Nonnull; 020import java.util.Map; 021import java.util.Optional; 022import java.util.Set; 023import java.util.function.Function; 024 025import static java.util.Objects.requireNonNull; 026 027/** 028 * Contract for types that authorize <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">CORS</a> requests. 029 * <p> 030 * Standard implementations can be acquired via these factory methods: 031 * <ul> 032 * <li>{@link #withRejectAllPolicy()} (don't permit CORS requests)</li> 033 * <li>{@link #withAcceptAllPolicy()} (permit all CORS requests, not recommended for production)</li> 034 * <li>{@link #withWhitelistedOrigins(Set)} (permit whitelisted origins only)</li> 035 * <li>{@link #withWhitelistAuthorizer(Function)} (permit origins via function)</li> 036 * </ul> 037 * See <a href="https://www.soklet.com/docs/cors#authorizing-cors-requests">https://www.soklet.com/docs/cors#authorizing-cors-requests</a> for detailed documentation. 038 * 039 * @author <a href="https://www.revetkn.com">Mark Allen</a> 040 */ 041public interface CorsAuthorizer { 042 /** 043 * Authorizes a <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">non-preflight CORS</a> request. 044 * 045 * @param request the request to authorize 046 * @param cors the CORS data provided in the request 047 * @return a {@link CorsResponse} if authorized, or {@link Optional#empty()} if not authorized 048 */ 049 @Nonnull 050 Optional<CorsResponse> authorize(@Nonnull Request request, 051 @Nonnull Cors cors); 052 053 /** 054 * Authorizes a <a href="https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request">CORS preflight</a> request. 055 * 056 * @param request the preflight request to authorize 057 * @param corsPreflight the CORS preflight data provided in the request 058 * @param availableResourceMethodsByHttpMethod <em>Resource Methods</em> that are available to serve requests according to parameters specified by the preflight data 059 * @return a {@link CorsPreflightResponse} if authorized, or {@link Optional#empty()} if not authorized 060 */ 061 @Nonnull 062 Optional<CorsPreflightResponse> authorizePreflight(@Nonnull Request request, 063 @Nonnull CorsPreflight corsPreflight, 064 @Nonnull Map<HttpMethod, ResourceMethod> availableResourceMethodsByHttpMethod); 065 066 @Nonnull 067 static CorsAuthorizer withAcceptAllPolicy() { 068 return AllOriginsCorsAuthorizer.defaultInstance(); 069 } 070 071 @Nonnull 072 static CorsAuthorizer withRejectAllPolicy() { 073 return NoOriginsCorsAuthorizer.defaultInstance(); 074 } 075 076 @Nonnull 077 static CorsAuthorizer withWhitelistedOrigins(@Nonnull Set<String> whitelistedOrigins) { 078 requireNonNull(whitelistedOrigins); 079 return WhitelistedOriginsCorsAuthorizer.withOrigins(whitelistedOrigins); 080 } 081 082 @Nonnull 083 static CorsAuthorizer withWhitelistAuthorizer(@Nonnull Function<String, Boolean> whitelistAuthorizer) { 084 requireNonNull(whitelistAuthorizer); 085 return WhitelistedOriginsCorsAuthorizer.withAuthorizer(whitelistAuthorizer); 086 } 087}