Skip to content

fix(cors): allow Office add-in origins (addin.postguard.eu + localhost:3000) and DELETE method#179

Merged
rubenhensen merged 2 commits into
mainfrom
fix/cors-addin-origins
Jun 24, 2026
Merged

fix(cors): allow Office add-in origins (addin.postguard.eu + localhost:3000) and DELETE method#179
rubenhensen merged 2 commits into
mainfrom
fix/cors-addin-origins

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes the CORS failure reported in encryption4all/postguard#154: browser callers (pg-js inside the Office add-in) were blocked when reaching /fileupload/* and /filedownload/*, because the preflight returned no Access-Control-Allow-Origin. The production allowed_origins regex only matched the postguard.eu/postguard.nl website, so the add-in's origins never matched.

Changes

  • conf/config.toml — extend the allowed_origins regex to also match the add-in origins from the issue, keeping the existing website origins:
    ^https://(postguard\.(eu|nl)|addin\.postguard\.eu|localhost:3000)$
    
    • https://addin.postguard.eu — Outlook add-in (prod)
    • https://localhost:3000 — Office add-in dev server
    • https://postguard.eu / https://postguard.nl — unchanged
  • build_rocket CORS (src/main.rs) — add Method::Delete to allowed_methods, so the preflight advertises GET, POST, PUT, DELETE as requested. Access-Control-Allow-Headers already includes Content-Type and Authorization (plus Content-Range, CryptifyToken, Range, X-Recovery-Token, X-POSTGUARD-CLIENT-VERSION), so no header change was needed.

Tests

Two new integration tests boot the real build_rocket CORS fairing with the exact production regex (kept in a PROD_ALLOWED_ORIGINS const, a hand-maintained copy of the shipped regex):

  • cors_preflight_allows_addin_and_localhost_origins — sends OPTIONS /fileupload/init from both add-in origins and asserts a 2xx preflight that echoes Access-Control-Allow-Origin, advertises all four methods, and lists Content-Type + Authorization.
  • cors_preflight_rejects_unlisted_origin — asserts an unlisted origin gets no Access-Control-Allow-Origin header.

This is the in-process equivalent of the curl -i -X OPTIONS repro from the issue. Booting the standalone binary to curl it live isn't feasible here (it requires a reachable PKG server at startup), but the test drives the identical fairing + config path the curl would hit.

cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test --all-targets (127 passed) all pass locally.

Closes encryption4all/postguard#154

🤖 Generated with Claude Code

dobby-coder Bot and others added 2 commits June 24, 2026 12:16
Browser callers from the Office add-in were blocked by CORS when reaching
/fileupload/* and /filedownload/*: the preflight returned no
Access-Control-Allow-Origin because the production allowed_origins regex
only matched the postguard.eu/nl website.

- conf/config.toml: extend allowed_origins to also match
  https://addin.postguard.eu (Outlook prod) and https://localhost:3000
  (Office add-in dev), keeping the existing postguard.(eu|nl) origins.
- build_rocket CORS: add DELETE to allowed_methods so the preflight
  advertises GET, POST, PUT, DELETE. Content-Type and Authorization are
  already in the allowed-headers list.
- Add integration tests over the real build_rocket CORS fairing asserting
  the preflight succeeds (echoes Allow-Origin, advertises all four methods
  and the required headers) for both add-in origins, and is rejected for an
  unlisted origin.

Refs encryption4all/postguard#154

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The comment claimed a config typo would fail the suite, but the CORS
tests use this hand-maintained copy and never read conf/config.toml.
Reword to state it is a copy that must be kept in sync.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@rubenhensen rubenhensen merged commit b0bcef3 into main Jun 24, 2026
8 checks passed
@rubenhensen rubenhensen deleted the fix/cors-addin-origins branch June 24, 2026 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Cryptify staging: enable CORS for browser callers (localhost + addin.postguard.eu)

1 participant