CBG-3594: Check if CORS config is actually empty before adding CORS response headers (#7792)

Author: bbrks

auth/cors.go

@@ -32,6 +32,12 @@ func (cors *CORSConfig) AddResponseHeaders(request *http.Request, response http.
 	}
 }
 
+// IsEmpty returns true if the CORS configuration is empty - used instead of a nil check since we always initialize the CORS config struct.
+func (cors *CORSConfig) IsEmpty() bool {
+	return cors == nil ||
+		(len(cors.Origin) == 0 && len(cors.LoginOrigin) == 0 && len(cors.Headers) == 0 && cors.MaxAge == 0)
+}
+
 func MatchedOrigin(allowOrigins []string, rqOrigins []string) string {
 	for _, rv := range rqOrigins {
 		for _, av := range allowOrigins {

rest/cors_test.go

@@ -288,6 +288,24 @@ func TestCORSUserNoAccess(t *testing.T) {
 	}
 }
 
+// TestCORSResponseHeadersEmptyConfig ensures that an empty CORS config results in no CORS headers being set on the response.
+func TestCORSResponseHeadersEmptyConfig(t *testing.T) {
+	rt := NewRestTester(t, nil)
+	// RestTester initializes using defaultTestingCORSOrigin - override to empty for this test
+	rt.ServerContext().Config.API.CORS = &auth.CORSConfig{}
+	defer rt.Close()
+
+	reqHeaders := map[string]string{
+		"Origin": "http://example.com",
+	}
+	response := rt.SendRequestWithHeaders(http.MethodGet, "/{{.db}}/", "", reqHeaders)
+	RequireStatus(t, response, http.StatusUnauthorized)
+	require.Contains(t, response.Body.String(), ErrLoginRequired.Message)
+	assert.NotContains(t, response.Header(), "Access-Control-Allow-Origin")
+	assert.NotContains(t, response.Header(), "Access-Control-Allow-Credentials")
+	assert.NotContains(t, response.Header(), "Access-Control-Allow-Headers")
+}
+
 func TestCORSOriginPerDatabase(t *testing.T) {
 	// Override the default (example.com) CORS configuration in the DbConfig for /db:
 	const perDBMaxAge = 1234

rest/handler.go

@@ -339,7 +339,7 @@ func (h *handler) validateAndWriteHeaders(method handlerMethod, accessPermission
 			if h.db != nil {
 				cors = h.db.CORS
 			}
-			if cors != nil {
+			if !cors.IsEmpty() {
 				cors.AddResponseHeaders(h.rq, h.response)
 			}
 		}

rest/routing.go

@@ -456,7 +456,7 @@ func wrapRouter(sc *ServerContext, privs handlerPrivs, serverType serverType, ro
 					cors = db.CORS
 				}
 			}
-			if cors != nil && privs != adminPrivs && privs != metricsPrivs {
+			if !cors.IsEmpty() && privs != adminPrivs && privs != metricsPrivs {
 				cors.AddResponseHeaders(rq, response)
 			}
 			if len(options) == 0 {