From 84a7c5d42f83317c4a9654575483dcdbc7c731cd Mon Sep 17 00:00:00 2001 From: Akshay Shah Date: Mon, 20 Nov 2023 15:17:19 -0800 Subject: [PATCH 1/9] Use Connect CoC --- .github/CODE_OF_CONDUCT.md | 134 +------------------------------------ 1 file changed, 2 insertions(+), 132 deletions(-) diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md index 1900eb4..628cbec 100644 --- a/.github/CODE_OF_CONDUCT.md +++ b/.github/CODE_OF_CONDUCT.md @@ -1,133 +1,3 @@ -# Contributor Covenant Code of Conduct - -## Our Pledge - -We as members, contributors, and leaders pledge to make participation in our -community a harassment-free experience for everyone, regardless of age, body -size, visible or invisible disability, ethnicity, sex characteristics, gender -identity and expression, level of experience, education, socio-economic status, -nationality, personal appearance, race, religion, or sexual identity -and orientation. - -We pledge to act and interact in ways that contribute to an open, welcoming, -diverse, inclusive, and healthy community. - -## Our Standards - -Examples of behavior that contributes to a positive environment for our -community include: - -* Demonstrating empathy and kindness toward other people -* Being respectful of differing opinions, viewpoints, and experiences -* Giving and gracefully accepting constructive feedback -* Accepting responsibility and apologizing to those affected by our mistakes, - and learning from the experience -* Focusing on what is best not just for us as individuals, but for the - overall community - -Examples of unacceptable behavior include: - -* The use of sexualized language or imagery, and sexual attention or - advances of any kind -* Trolling, insulting or derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or email - address, without their explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting - -## Enforcement Responsibilities - -Community leaders are responsible for clarifying and enforcing our standards of -acceptable behavior and will take appropriate and fair corrective action in -response to any behavior that they deem inappropriate, threatening, offensive, -or harmful. - -Community leaders have the right and responsibility to remove, edit, or reject -comments, commits, code, wiki edits, issues, and other contributions that are -not aligned to this Code of Conduct, and will communicate reasons for moderation -decisions when appropriate. - -## Scope - -This Code of Conduct applies within all community spaces, and also applies when -an individual is officially representing the community in public spaces. -Examples of representing our community include using an official e-mail address, -posting via an official social media account, or acting as an appointed -representative at an online or offline event. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported to the community leaders responsible for enforcement at -conduct@buf.build. All complaints will be reviewed and investigated promptly -and fairly. - -All community leaders are obligated to respect the privacy and security of the -reporter of any incident. - -## Enforcement Guidelines - -Community leaders will follow these Community Impact Guidelines in determining -the consequences for any action they deem in violation of this Code of Conduct: - -### 1. Correction - -**Community Impact**: Use of inappropriate language or other behavior deemed -unprofessional or unwelcome in the community. - -**Consequence**: A private, written warning from community leaders, providing -clarity around the nature of the violation and an explanation of why the -behavior was inappropriate. A public apology may be requested. - -### 2. Warning - -**Community Impact**: A violation through a single incident or series -of actions. - -**Consequence**: A warning with consequences for continued behavior. No -interaction with the people involved, including unsolicited interaction with -those enforcing the Code of Conduct, for a specified period of time. This -includes avoiding interactions in community spaces as well as external channels -like social media. Violating these terms may lead to a temporary or -permanent ban. - -### 3. Temporary Ban - -**Community Impact**: A serious violation of community standards, including -sustained inappropriate behavior. - -**Consequence**: A temporary ban from any sort of interaction or public -communication with the community for a specified period of time. No public or -private interaction with the people involved, including unsolicited interaction -with those enforcing the Code of Conduct, is allowed during this period. -Violating these terms may lead to a permanent ban. - -### 4. Permanent Ban - -**Community Impact**: Demonstrating a pattern of violation of community -standards, including sustained inappropriate behavior, harassment of an -individual, or aggression toward or disparagement of classes of individuals. - -**Consequence**: A permanent ban from any sort of public interaction within -the community. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant][homepage], -version 2.0, available at -[https://www.contributor-covenant.org/version/2/0/code_of_conduct.html][v2.0]. - -Community Impact Guidelines were inspired by -[Mozilla's code of conduct enforcement ladder][Mozilla CoC]. - -For answers to common questions about this code of conduct, see the FAQ at -[https://www.contributor-covenant.org/faq][FAQ]. Translations are available -at [https://www.contributor-covenant.org/translations][translations]. - -[homepage]: https://www.contributor-covenant.org -[v2.0]: https://www.contributor-covenant.org/version/2/0/code_of_conduct.html -[Mozilla CoC]: https://github.com/mozilla/diversity -[FAQ]: https://www.contributor-covenant.org/faq -[translations]: https://www.contributor-covenant.org/translations +## Community Code of Conduct +Connect follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). From d8ec8a78057c7870099e5b5de8942d7f513de286 Mon Sep 17 00:00:00 2001 From: Akshay Shah Date: Mon, 20 Nov 2023 16:09:58 -0800 Subject: [PATCH 2/9] Change copyright holder to Connect Prepare for eventual open-source release by updating the copyright holder to match the rest of the Connect projects. --- LICENSE | 2 +- Makefile | 2 +- cors.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/LICENSE b/LICENSE index f308f8b..9348264 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2023 Buf Technologies, Inc. + Copyright 2023 The Connect Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/Makefile b/Makefile index ba47356..41471a6 100644 --- a/Makefile +++ b/Makefile @@ -38,7 +38,7 @@ build: generate ## Build all packages generate: $(BIN)/license-header ## Regenerate code and licenses license-header \ --license-type apache \ - --copyright-holder "Buf Technologies, Inc." \ + --copyright-holder "The Connect Authors" \ --year-range "$(COPYRIGHT_YEARS)" $(LICENSE_IGNORE) .PHONY: lint diff --git a/cors.go b/cors.go index c304623..c32ca38 100644 --- a/cors.go +++ b/cors.go @@ -1,4 +1,4 @@ -// Copyright 2023 Buf Technologies, Inc. +// Copyright 2023 The Connect Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. From fe37148131bc5fc1d51b35960a8c74d8799aa2f1 Mon Sep 17 00:00:00 2001 From: Akshay Shah Date: Mon, 20 Nov 2023 15:22:49 -0800 Subject: [PATCH 3/9] Align .golangci.yml with connect-go --- .golangci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.golangci.yml b/.golangci.yml index ae5b395..3f573aa 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -39,6 +39,7 @@ linters: - maintidx # covered by gocyclo - maligned # readability trumps efficient struct packing - nlreturn # generous whitespace violates house style + - nonamedreturns # named returns are fine; it's *bare* returns that are bad - nosnakecase # deprecated in https://github.com/golangci/golangci-lint/pull/3065 - scopelint # deprecated by author - structcheck # abandoned From 5a85408277e46aa08f1610da40b2ca5d967639f5 Mon Sep 17 00:00:00 2001 From: Akshay Shah Date: Mon, 20 Nov 2023 15:23:03 -0800 Subject: [PATCH 4/9] Align CI workflow with connect-go --- .github/workflows/ci.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index de6bb67..8ddd15e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -25,12 +25,6 @@ jobs: uses: actions/setup-go@v4 with: go-version: ${{ matrix.go-version }} - - name: Cache - uses: actions/cache@v3 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-cors-go-ci-${{ hashFiles('**/go.sum') }} - restore-keys: ${{ runner.os }}-cors-go-ci- - name: Test run: make test - name: Lint From fdfa38b949b8096c707f70e8a64a0239b002fa06 Mon Sep 17 00:00:00 2001 From: Akshay Shah Date: Mon, 20 Nov 2023 16:20:04 -0800 Subject: [PATCH 5/9] Add MAINTAINERS.md --- MAINTAINERS.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 MAINTAINERS.md diff --git a/MAINTAINERS.md b/MAINTAINERS.md new file mode 100644 index 0000000..d95df07 --- /dev/null +++ b/MAINTAINERS.md @@ -0,0 +1,7 @@ +Maintainers +=========== + +## Current +* [Akshay Shah](https://github.com/akshayjshah), [Buf](https://buf.build) +* [Edward McFarlane](https://github.com/emcfarlane), [Buf](https://buf.build) +* [Timo Stamm](https://github.com/timostamm), [Buf](https://buf.build) From 4aa4439d1c7555e10208f6fec590cc691c77ca68 Mon Sep 17 00:00:00 2001 From: Akshay Shah Date: Mon, 20 Nov 2023 16:21:12 -0800 Subject: [PATCH 6/9] Add SECURITY.md --- SECURITY.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..04dcde5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,5 @@ +Security Policy +=============== + +This project follows the [Connect security policy and reporting +process](https://connectrpc.com/docs/governance/security). From 4de973ca9a3aa67fc5b9ea3e709c5e2b2101f38e Mon Sep 17 00:00:00 2001 From: Akshay Shah Date: Mon, 20 Nov 2023 16:05:06 -0800 Subject: [PATCH 7/9] Clarify docs and trim header lists Align our recommendations here with https://connectrpc.com/docs/cors, and trim the list of headers down to the ones actually required. Along the way, clarify the documentation a bit and correct places where we were confusing the preflight and actual responses. --- cors.go | 66 ++++++++++++++++++++++++--------------------------------- 1 file changed, 28 insertions(+), 38 deletions(-) diff --git a/cors.go b/cors.go index c32ca38..52b5208 100644 --- a/cors.go +++ b/cors.go @@ -12,13 +12,10 @@ // See the License for the specific language governing permissions and // limitations under the License. -// Package cors provides cross-origin resource sharing (CORS) constants for -// Connect. These constants are used to configure the CORS headers for a -// Connect server. +// Package cors provides helpers to configure cross-origin resource sharing +// (CORS) for Connect servers. package cors -import "net/http" - // AllowedMethods returns the allowed HTTP methods that scripts running in the // browser are permitted to use. // @@ -27,50 +24,43 @@ import "net/http" // Access-Control-Allow-Methods. func AllowedMethods() []string { return []string{ - http.MethodGet, // Required for Connect GET requests - http.MethodPost, // Required for all protocols + "GET", // for Connect + "POST", // for all protocols } } -// AllowedHeaders returns the allowed header fields that scripts running in the -// browser are permitted to access. +// AllowedHeaders returns the headers that scripts running in the browser send +// when making RPC requests. To support cross-domain requests with the +// protocols supported by Connect, these field names must be included in the +// Access-Control-Allow-Headers header of the preflight response. // -// To support cross-domain requests with the protocols supported by Connect, -// these field names must be included in header Access-Control-Allow-Headers -// of the actual response. +// When configuring CORS, make sure to also include any application-specific +// headers your server expects to receive from the browser. func AllowedHeaders() []string { return []string{ - "Content-Type", // Required for Connect - "Connect-Protocol-Version", // Required for Connect - "Connect-Timeout-Ms", // Optional for Connect - "Connect-Accept-Encoding", // Future use for Connect - "Connect-Content-Encoding", // Future use for Connect - "Accept-Encoding", // Future use for Connect - "Content-Encoding", // Future use for Connect - "Grpc-Timeout", // Required for gRPC-web - "X-Grpc-Web", // Optional for gRPC-web - "X-User-Agent", // Optional for gRPC-web + "Content-Type", // for all protocols + "Connect-Protocol-Version", // for Connect + "Connect-Timeout-Ms", // for Connect + "Grpc-Timeout", // for gRPC-web + "X-Grpc-Web", // for gRPC-web + "X-User-Agent", // for all protocols } } -// ExposedHeaders returns the headers that scripts running in the browser are -// permitted to see. -// -// To support cross-domain requests with the protocols supported by Connect, -// these field names must be included in header Access-Control-Expose-Headers -// of the actual response. +// ExposedHeaders returns the headers that scripts running in the +// browser expect to access when receiving RPC responses. To support +// cross-domain requests with the protocols supported by Connect, these field +// names must be included in the Access-Control-Expose-Headers header of the +// actual response. // -// Make sure to include any application-specific headers your browser client -// should see. If your application uses trailers, they will be sent as header -// fields with a `Trailer-` prefix for Connect unary RPCs - make sure to -// expose them as well if you want them to be visible in all supported -// protocols. +// When configuring CORS, make sure to also include any application-specific +// headers your server expects to send to the browser. If your application uses +// trailers, they will be sent as headers with a `Trailer-` prefix for +// unary Connect RPCs - make sure to expose them! func ExposedHeaders() []string { return []string{ - "Content-Encoding", // Future use for Connect - "Connect-Content-Encoding", // Future use for Connect - "Grpc-Status", // Required for gRPC-web header response - "Grpc-Message", // Required for gRPC-web header response - "Grpc-Status-Details-Bin", // Required for gRPC-web error details + "Grpc-Status", // for gRPC-web + "Grpc-Message", // for gRPC-web + "Grpc-Status-Details-Bin", // for gRPC-web } } From 5017abbb841b7191f3194d9928c2dc0f7f6acdd7 Mon Sep 17 00:00:00 2001 From: Akshay Shah Date: Mon, 20 Nov 2023 16:11:45 -0800 Subject: [PATCH 8/9] Reword README in preparation for OSS Anticipating release as part of the Connect project, change the import path to `connectrpc.com/cors`, add the usual badges to the README, and re-word the README a bit for clarity. --- README.md | 49 ++++++++++++++++++++++++++++--------------------- go.mod | 2 +- 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 82a4736..732b3de 100644 --- a/README.md +++ b/README.md @@ -1,40 +1,47 @@ cors-go -=============== +======= -Cross-origin resource sharing (CORS) support for Connect servers. Exports methods -to configure CORS headers to allow Connect and gRPC-web protocols to operate in -the browser. +[![Build](https://github.com/connectrpc.com/cors-go/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/connectrpc.com/cors-go/actions/workflows/ci.yaml) +[![Report Card](https://goreportcard.com/badge/connectrpc.com/cors)](https://goreportcard.com/report/connectrpc.com/cors) +[![GoDoc](https://pkg.go.dev/badge/connectrpc.com/cors.svg)](https://pkg.go.dev/connectrpc.com/cors) + +`connectrpc.com/cors` provides convenience methods to make configuring +Cross-Origin Resource Sharing (CORS) easier for +[Connect](https://github.com/connectrpc/connect-go) servers. CORS is often +required for the Connect and gRPC-Web protocols to work correctly in web +browsers. + +For background, more details, and best practices, see [Connect's CORS +documentation](https://connectrpc.com/docs/cors). ## Example -As an example, we will use the [github.com/rs/cors](https://github.com/rs/cors) -package to demonstrate how to use the constants defined in this package. +This package should work with any CORS package. As an example, we'll use it +with [github.com/rs/cors](https://github.com/rs/cors). ```go import ( - cors "github.com/bufbuild/cors-go" - rscors "github.com/rs/cors" + connectcors "connectrpc.com/cors" + "github.com/rs/cors" ) -// corsMiddleware wraps a handler with require cors config using rs/cors. -func corsMiddleware(handler http.Handler) http.Handler { - // Create a new cors instance with default options. - c := rscors.New(rscors.Options{ - AllowedMethods: cors.AllowedMethods(), - AllowedHeaders: cors.AllowedHeaders(), - ExposedHeaders: cors.ExposedHeaders(), +// withCORS adds CORS support to a Connect HTTP handler. +func withCORS(connectHandler http.Handler) http.Handler { + c := cors.New(cors.Options{ + AllowedOrigins: []string{"https://acme.com"}, // replace with your domain + AllowedMethods: connectcors.AllowedMethods(), + AllowedHeaders: connectcors.AllowedHeaders(), + ExposedHeaders: connectcors.ExposedHeaders(), + MaxAge: 7200, // 2 hours in seconds }) - // Insert the middleware as a wrapper around your handler. - return c.Handler(handler /* connect handler */) + return c.Handler(connectHandler) } ``` ## Status: Alpha -Cors is undergoing initial development and is not yet stable. +This module is undergoing initial development and is not yet stable. ## Legal -Offered under the [Apache 2 license][license]. - -[license]: https://github.com/bufbuild/cors-go/blob/main/LICENSE +Offered under the [Apache 2 license][LICENSE]. diff --git a/go.mod b/go.mod index 1ee00a3..9e6db2d 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ -module github.com/bufbuild/cors-go +module connectrpc.com/cors go 1.19 From 51311543e9ca59c196567442cc25f024c1fbb85d Mon Sep 17 00:00:00 2001 From: Akshay Shah Date: Tue, 21 Nov 2023 09:49:32 -0800 Subject: [PATCH 9/9] Use package name in README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 732b3de..e903f38 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -cors-go -======= +cors +==== [![Build](https://github.com/connectrpc.com/cors-go/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/connectrpc.com/cors-go/actions/workflows/ci.yaml) [![Report Card](https://goreportcard.com/badge/connectrpc.com/cors)](https://goreportcard.com/report/connectrpc.com/cors)