feat(router): CORS

[ardatan]

Ref ROUTER-112
Closes #319

[x] Policies

[gemini-code-assist]

Summary of Changes

Hello @ardatan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This PR implements comprehensive CORS support for the router, allowing flexible configuration of cross-origin policies including origin matching (exact, wildcard, regex), method/header allowances, credential handling, and preflight caching. It integrates CORS processing directly into the request pipeline, ensuring proper header management for both preflight and actual requests.

Highlights

• Intent: This pull request introduces Cross-Origin Resource Sharing (CORS) functionality to the router, addressing ROUTER-112 and graphql-hive/router#319. The goal is to allow administrators to configure CORS policies, enabling web applications from different origins to interact with the router securely.
• Key Changes: The core changes involve adding a new cors module to both the router-config and bin/router crates. The router-config crate now includes a CORSConfig struct for defining various CORS parameters (e.g., allowed origins, methods, headers, credentials, max age, and regex-based origin matching). The bin/router crate's new pipeline::cors module implements the logic for processing CORS requests, including handling OPTIONS preflight requests and injecting appropriate Access-Control-* headers into responses. This logic is integrated into the main graphql_endpoint_handler, which now checks for CORS configuration, performs CORS processing before the GraphQL request, and applies generated CORS headers to the final response. A CORSPlan is stored in the RouterSharedState for efficient access to the parsed CORS rules. The regex crate was added as a dependency to support regex-based origin matching.
• Minor Changes: The docs/README.md file was updated to include documentation for a csrf configuration, which appears to be an unrelated change to the primary CORS feature.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces CORS support to the router, which is a great addition. The implementation is quite thorough, covering various CORS configurations and including a good set of tests. I've found a critical issue in the handling of preflight requests and a few other areas for improvement regarding correctness, maintainability, and documentation. Please see my detailed comments below.

[github-actions]

✅ k6-benchmark results

     ✓ response code was 200
     ✓ no graphql errors
     ✓ valid response structure

     █ setup

     checks.........................: 100.00% ✓ 229215      ✗ 0    
     data_received..................: 6.7 GB  223 MB/s
     data_sent......................: 90 MB   3.0 MB/s
     http_req_blocked...............: avg=2.85µs  min=641ns   med=1.7µs   max=5.49ms   p(90)=2.45µs  p(95)=2.87µs 
     http_req_connecting............: avg=145ns   min=0s      med=0s      max=753.87µs p(90)=0s      p(95)=0s     
     http_req_duration..............: avg=19.15ms min=2.11ms  med=18.18ms max=210.05ms p(90)=26.48ms p(95)=29.66ms
       { expected_response:true }...: avg=19.15ms min=2.11ms  med=18.18ms max=210.05ms p(90)=26.48ms p(95)=29.66ms
     http_req_failed................: 0.00%   ✓ 0           ✗ 76425
     http_req_receiving.............: avg=170.4µs min=24.14µs med=39.63µs max=159.78ms p(90)=90.16µs p(95)=385.1µs
     http_req_sending...............: avg=24.74µs min=5.33µs  med=10.61µs max=30.14ms  p(90)=16.03µs p(95)=27.89µs
     http_req_tls_handshaking.......: avg=0s      min=0s      med=0s      max=0s       p(90)=0s      p(95)=0s     
     http_req_waiting...............: avg=18.96ms min=2.05ms  med=18.06ms max=76.99ms  p(90)=26.24ms p(95)=29.35ms
     http_reqs......................: 76425   2541.673806/s
     iteration_duration.............: avg=19.62ms min=5.14ms  med=18.54ms max=337.12ms p(90)=26.94ms p(95)=30.16ms
     iterations.....................: 76405   2541.008664/s
     vus............................: 50      min=50        max=50 
     vus_max........................: 50      min=50        max=50 

[github-actions]

🐋 This PR was built and pushed to the following Docker images:

Image Names: ghcr.io/graphql-hive/router

Platforms: linux/amd64,linux/arm64

Image Tags: ghcr.io/graphql-hive/router:pr-473 ghcr.io/graphql-hive/router:sha-454ddff

Docker metadata

{
"buildx.build.ref": "builder-b5d7873b-46ec-4063-9f7b-f8b5a171e4a3/builder-b5d7873b-46ec-4063-9f7b-f8b5a171e4a30/s084xdtd0lz4yknb6ewkx9waf",
"containerimage.descriptor": {
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "digest": "sha256:63b34b013e15025521d553ba06483487a8893a3cb501f5c52b8625f535604239",
  "size": 1609
},
"containerimage.digest": "sha256:63b34b013e15025521d553ba06483487a8893a3cb501f5c52b8625f535604239",
"image.name": "ghcr.io/graphql-hive/router:pr-473,ghcr.io/graphql-hive/router:sha-454ddff"
}

[ardatan]

@gemini-code-assist review again

[gemini-code-assist]

Code Review

This pull request introduces comprehensive CORS support, including new configuration options, a dedicated CORS processing module, and integration into the request pipeline. The implementation is well-structured, featuring optimizations for various CORS scenarios and thorough documentation updates. However, I've identified a critical compilation error and two high-severity issues concerning configuration validation and consistency. These issues could negatively affect the developer experience by silently ignoring parts of the configuration or causing deserialization errors. Addressing these points will significantly improve the robustness and usability of the new CORS feature.

[ardatan]

@gemini-code-assist review again

[gemini-code-assist]

Code Review

This pull request introduces CORS support to the router, including adding a regex dependency, implementing CORS policy configuration, and modifying the GraphQL endpoint handler to perform CORS checks. The code adds a new module for CORS handling, updates the shared state to include CORS configuration, and modifies the router's configuration to support CORS policies. I have identified a critical issue related to error handling in the CORS configuration loading process.

[ardatan]

@gemini-code-assist review again

[gemini-code-assist]

Code Review

This pull request introduces comprehensive CORS support to the router. The implementation is well-structured, adding a new cors.rs module for the core logic, along with corresponding configuration options, documentation, and tests. My review focuses on enhancing the robustness, readability, and performance of the new CORS implementation. I've suggested changes to avoid unnecessary allocations, handle non-UTF8 headers more gracefully, prevent duplicate Vary header values, and use more idiomatic Rust patterns for safer and clearer code.

[kamilkisiela]

made some changes