Skip to content

[cors] Use JDK's URI class #2180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tipsy merged 18 commits into from
Nov 30, 2025
Merged

[cors] Use JDK's URI class #2180

tipsy merged 18 commits into from
Nov 30, 2025

Conversation

@Playacem
Copy link
Member

@Playacem Playacem commented Mar 4, 2024
edited
Loading

Todos:

  • tests for IPv4 addresses as an origin
  • tests for IPv6 addresses as an origin
  • harden port extraction especially for IPv6 addresses
  • Use URI class for port logic
  • complete plugin tests for IP address based origins

Fixes #2138 (once its done)

@codecov
Copy link

codecov bot commented Mar 4, 2024
edited
Loading

Codecov Report

❌ Patch coverage is 91.30435% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.68%. Comparing base (1e95587) to head (a2ab0dd).
⚠️ Report is 2 commits behind head on master.

Files with missing lines Patch % Lines
...c/main/java/io/javalin/plugin/bundled/CorsUtils.kt 89.47% 0 Missing and 4 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #2180      +/-   ##
============================================
+ Coverage     86.54%   86.68%   +0.13%     
+ Complexity     1446     1435      -11     
============================================
  Files           153      153              
  Lines          4200     4184      -16     
  Branches        477      468       -9     
============================================
- Hits           3635     3627       -8     
+ Misses          369      364       -5     
+ Partials        196      193       -3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tipsy tipsy force-pushed the master branch 4 times, most recently from 765b7d0 to 6faa186 Compare May 8, 2024 16:19
@Playacem Playacem force-pushed the gh-2138-cors-jdk-uri branch from 12e07b7 to 34371f6 Compare May 13, 2024 19:24
@Playacem Playacem force-pushed the gh-2138-cors-jdk-uri branch from 34371f6 to 6d6d995 Compare May 22, 2024 15:42
@tipsy
Copy link
Member

tipsy commented Jul 5, 2024

How is this PR going @Playacem ?

@Playacem
Copy link
Member Author

Playacem commented Jul 6, 2024

I have been quite busy with real life, but I finally have some time this weekend to work on it.

@tipsy
Copy link
Member

tipsy commented Jul 6, 2024

I have been quite busy with real life, but I finally have some time this weekend to work on it.

Me too, no rush ☺️

@Playacem Playacem force-pushed the gh-2138-cors-jdk-uri branch from 6d6d995 to 1df3f7d Compare July 6, 2024 10:23
@Playacem Playacem force-pushed the gh-2138-cors-jdk-uri branch from 8740c5c to 4cdeb24 Compare November 2, 2024 09:16
@Playacem Playacem marked this pull request as ready for review November 3, 2024 11:17
@tipsy
Copy link
Member

tipsy commented Mar 2, 2025

marked this pull request as ready for review 4 months ago

I guess it's ready for review? 😅

@Playacem
Copy link
Member Author

Playacem commented Mar 3, 2025

It is :)

@zugazagoitia zugazagoitia requested a review from Copilot June 13, 2025 17:19
Copilot AI reviewed Jun 13, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request updates the CORS support to use JDK’s URI class for more robust origin parsing. Key changes include updating tests to use parameterized inputs for various origin scenarios (IPv4, IPv6, wildcards), refactoring CorsUtils to remove the PortResult abstraction in favor of boolean validations and exception handling, and revising CorsPlugin to integrate with the new utility methods.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
javalin/src/test/java/io/javalin/TestCorsUtils.kt Replaces individual tests with parameterized tests and updates origin parsing expectations
javalin/src/test/java/io/javalin/TestCors.kt Adds new tests for IPv4/IPv6 and wildcard handling and verifies error messages for invalid origins
javalin/src/main/java/io/javalin/plugin/bundled/CorsUtils.kt Removes PortResult, adds URI‑based origin validation and parsing, and handles wildcard origins
javalin/src/main/java/io/javalin/plugin/bundled/CorsPlugin.kt Updates usage of CorsUtils methods and refines error handling for origin validation

javalin/src/main/java/io/javalin/plugin/bundled/CorsUtils.kt
Comment on lines +21 to +26
val wildcardSnippet = "://*."
val hasWildcard = wildcardSnippet in origin
if (client && hasWildcard) {
return false
}
val possiblePortDigits = origin.subSequence(possiblePortIndex + 1, origin.length).toString()
if (possiblePortDigits.any { !it.isAsciiDigit() }) {
return PortResult.ErrorState.InvalidPort
val originWithoutWildcard = origin.replace(wildcardSnippet, "://")
Copy link

Copilot AI Jun 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Consider handling possible variations of wildcard placement or formatting rather than relying solely on the literal substring "://*." to ensure robust matching.

Suggested change
val wildcardSnippet = "://*."
val hasWildcard = wildcardSnippet in origin
if (client && hasWildcard) {
return false
}
val possiblePortDigits = origin.subSequence(possiblePortIndex + 1, origin.length).toString()
if (possiblePortDigits.any { !it.isAsciiDigit() }) {
return PortResult.ErrorState.InvalidPort
val originWithoutWildcard = origin.replace(wildcardSnippet, "://")
val wildcardRegex = Regex("://\\*\\.")
val hasWildcard = wildcardRegex.containsMatchIn(origin)
if (client && hasWildcard) {
return false
}
val originWithoutWildcard = origin.replace(wildcardRegex, "://")

Copilot uses AI. Check for mistakes.
javalin/src/main/java/io/javalin/plugin/bundled/CorsUtils.kt
return PortResult.ErrorState.InvalidPort
val originWithoutWildcard = origin.replace(wildcardSnippet, "://")
val originToAnalyze = if (hasWildcard) originWithoutWildcard else origin
try {
Copy link

Copilot AI Jun 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Consider catching more specific exceptions (e.g. URISyntaxException) here instead of a generic Exception to make error handling more explicit.

Copilot uses AI. Check for mistakes.
tipsy and others added 2 commits November 28, 2025 21:06
@tipsy
Merge branch 'master' into javalingh-2138-cors-jdk-uri
c3037ed
@Playacem
[cors] fix unit tests
a2ab0dd 
We need to specify junit-jupiter-params directly to force JUnit 6.
We previously had this on our classpath as a transitive dependency from
mockk, leading to a version mismatch and failing parameterized tests.
We could also switch over to the junit-jupiter artifact which combines
api, params and runtime.
@tipsy
Copy link
Member

tipsy commented Nov 30, 2025

Looks great @Playacem, thank you very much 🙌

@tipsy tipsy merged commit a81cafa into javalin:master Nov 30, 2025
19 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[cors] Use JDK'S URI class for origin parsing

2 participants

@Playacem @tipsy