Fixes for CORS, enqueuing PRs, and storing user_id

Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io>

Assisted by [OpenAI](https://platform.openai.com/)

Assisted by [GitHub Copilot](https://github.com/features/copilot)

Author: lukaszgryglicki

cla-backend-legacy/internal/api/github_oauth.go

@@ -425,19 +425,39 @@ func (h *Handlers) githubSignRequest(w http.ResponseWriter, r *http.Request) {
 	sessionSetString(sess, "github_installation_id", installationID)
 	sessionSetString(sess, "github_repository_id", repoID)
 	sessionSetString(sess, "github_change_request_id", changeID)
-
-	// Determine origin URL from PR.
-	inst, _ := strconv.ParseInt(strings.TrimSpace(installationID), 10, 64)
-	repo, _ := strconv.ParseInt(strings.TrimSpace(repoID), 10, 64)
-	pr, _ := strconv.ParseInt(strings.TrimSpace(changeID), 10, 64)
-	if inst > 0 && repo > 0 && pr > 0 {
-		if origin, err := h.github.GetPullRequestHTMLURL(ctx, inst, repo, pr); err == nil {
-			sessionSetString(sess, "github_origin_url", origin)
-		} else {
-			// Mirror Python: exceptions bubble up as server errors.
-			respond.JSON(w, http.StatusInternalServerError, map[string]any{"errors": "unable to fetch pull request", "details": err.Error()})
-			return
+	// Determine origin URL from PR. Python parses all three path IDs as int()
+	// before creating the GitHub PR URL/OAuth state; malformed IDs raise and
+	// never proceed to OAuth. Keep that fail-fast behavior.
+	inst, err := strconv.ParseInt(strings.TrimSpace(installationID), 10, 64)
+	if err != nil || inst <= 0 {
+		if err == nil {
+			err = errors.New("installation_id must be a positive integer")
+		}
+		respond.JSON(w, http.StatusInternalServerError, map[string]any{"errors": "unable to fetch pull request", "details": err.Error()})
+		return
+	}
+	repo, err := strconv.ParseInt(strings.TrimSpace(repoID), 10, 64)
+	if err != nil || repo <= 0 {
+		if err == nil {
+			err = errors.New("github_repository_id must be a positive integer")
+		}
+		respond.JSON(w, http.StatusInternalServerError, map[string]any{"errors": "unable to fetch pull request", "details": err.Error()})
+		return
+	}
+	pr, err := strconv.ParseInt(strings.TrimSpace(changeID), 10, 64)
+	if err != nil || pr <= 0 {
+		if err == nil {
+			err = errors.New("change_request_id must be a positive integer")
 		}
+		respond.JSON(w, http.StatusInternalServerError, map[string]any{"errors": "unable to fetch pull request", "details": err.Error()})
+		return
+	}
+	if origin, err := h.github.GetPullRequestHTMLURL(ctx, inst, repo, pr); err == nil {
+		sessionSetString(sess, "github_origin_url", origin)
+	} else {
+		// Mirror Python: exceptions bubble up as server errors.
+		respond.JSON(w, http.StatusInternalServerError, map[string]any{"errors": "unable to fetch pull request", "details": err.Error()})
+		return
 	}
 
 	if sessionGetMap(sess, "github_oauth2_token") != nil {

cla-backend-legacy/internal/api/handlers.go

@@ -1356,7 +1356,7 @@ func (h *Handlers) handleLegacyGithubMergeGroup(ctx context.Context, payload map
 func (h *Handlers) handleLegacyGithubReceivedActivity(ctx context.Context, payload map[string]any) error {
 	action := githubActivityAction(payload)
 	switch action {
-	case "opened", "reopened", "synchronize":
+	case "opened", "reopened", "synchronize", "enqueued":
 		return h.handleLegacyGithubPullRequestUpdate(ctx, payload)
 	case "checks_requested":
 		return h.handleLegacyGithubMergeGroup(ctx, payload)
@@ -3002,7 +3002,9 @@ func (h *Handlers) GetUserActiveSignatureV2(w http.ResponseWriter, r *http.Reque
 		respond.JSON(w, http.StatusOK, nil)
 		return
 	}
-
+	if metadataString(metadata, "user_id") == "" {
+		metadata["user_id"] = userID
+	}
 	returnURL, err := h.computeReturnURLFromActiveSignatureMetadata(r.Context(), metadata)
 	if err != nil {
 		respond.JSON(w, http.StatusInternalServerError, err.Error())

cla-backend-legacy/internal/middleware/cors.go

@@ -61,6 +61,39 @@ func addAllowedOrigin(raw string) {
 func addContributorConsoleOrigins() {
 	addAllowedOrigin(os.Getenv("CLA_CONTRIBUTOR_BASE"))
 	addAllowedOrigin(os.Getenv("CLA_CONTRIBUTOR_V2_BASE"))
+	addAllowedOrigin(os.Getenv("CLA_CORPORATE_BASE"))
+	addAllowedOrigin(os.Getenv("CLA_CORPORATE_V2_BASE"))
+	addAllowedOrigin(os.Getenv("CLA_LANDING_PAGE"))
+}
+
+func addBuiltInEasyCLAOrigins() {
+	// Keep known EasyCLA dev/staging/prod UI and API aliases available even when
+	// ALLOWED_ORIGINS in SSM is incomplete. Credentialed browser requests cannot
+	// use a wildcard Access-Control-Allow-Origin value.
+	for _, origin := range []string{
+		"https://easycla.dev.communitybridge.org",
+		"https://easycla.staging.communitybridge.org",
+		"https://easycla.communitybridge.org",
+		"https://easycla.dev.platform.linuxfoundation.org",
+		"https://easycla.staging.platform.linuxfoundation.org",
+		"https://easycla.lfx.linuxfoundation.org",
+		"https://contributor.easycla.lfx.linuxfoundation.org",
+		"https://project.dev.lfcla.com",
+		"https://project.v1.easycla.lfx.linuxfoundation.org",
+		"https://corporate.dev.lfcla.com",
+		"https://corporate.v1.easycla.lfx.linuxfoundation.org",
+		"https://api.lfcla.dev.platform.linuxfoundation.org",
+		"https://api.lfcla.staging.platform.linuxfoundation.org",
+		"https://api.easycla.lfx.linuxfoundation.org",
+		"https://api.dev.lfcla.com",
+		"https://api.staging.lfcla.com",
+		"https://api.lfcla.com",
+		"https://api-gw.dev.platform.linuxfoundation.org",
+		"https://api-gw.staging.platform.linuxfoundation.org",
+		"https://api-gw.platform.linuxfoundation.org",
+	} {
+		addAllowedOrigin(origin)
+	}
 }
 
 func loadAllowedOriginsFromEnv() {
@@ -69,6 +102,7 @@ func loadAllowedOriginsFromEnv() {
 		// Backwards compatible default: allow all.
 		allowAllOrigins = true
 		addContributorConsoleOrigins()
+		addBuiltInEasyCLAOrigins()
 		return
 	}
 
@@ -83,6 +117,7 @@ func loadAllowedOriginsFromEnv() {
 				addAllowedOrigin(v)
 			}
 			addContributorConsoleOrigins()
+			addBuiltInEasyCLAOrigins()
 			if len(allowedOrigins) == 0 && !allowAllOrigins {
 				allowAllOrigins = true
 			}
@@ -106,6 +141,7 @@ func loadAllowedOriginsFromEnv() {
 	// Therefore these origins must be allowed to call the v1/v2 APIs after
 	// GitHub OAuth redirects back to EasyCLA.
 	addContributorConsoleOrigins()
+	addBuiltInEasyCLAOrigins()
 
 	if len(allowedOrigins) == 0 && !allowAllOrigins {
 		allowAllOrigins = true
@@ -148,7 +184,8 @@ func CORS(next http.Handler) http.Handler {
 
 		// Legacy Python sets the string literal "true".
 		w.Header().Set("Access-Control-Allow-Credentials", "true")
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+		// w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Hub-Signature, X-Hub-Signature-256, X-GitHub-Event, X-GitHub-Delivery")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
 
 		if r.Method == http.MethodOptions {

cla-backend/serverless.yml

@@ -544,7 +544,7 @@ functions:
       - http:
           method: ANY
           path: v1/{proxy+}
-          cors: true
+          # cors: true
     package:
       individually: true
       patterns:
@@ -562,7 +562,7 @@ functions:
       - http:
           method: ANY
           path: v2/{proxy+}
-          cors: true
+          # cors: true
     package:
       individually: true
       patterns:
@@ -635,6 +635,9 @@ functions:
       - http:
           method: POST
           path: v2/github/activity
+      - http:
+          method: OPTIONS
+          path: v2/github/activity
     package:
       individually: true
       patterns: