feat: Add allowed origins config (sourcenetwork#1408)

## Relevant issue(s) Resolves sourcenetwork#1355 ## Description This PR adds the option to set allowed origins for the HTTP API using the config file or a CLI flag.
shahzadlone · Apr 27, 2023 · fdddece · fdddece
1 parent 5a5ba85
commit fdddece
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -375,6 +375,19 @@ Note: `sudo` is needed above for the redirection server (to bind port 80).
 
 A valid email address is necessary for the creation of the certificate, and is important to get notifications from the Certificate Authority - in case the certificate is about to expire, etc.
 
+## Supporting CORS
+
+When accessing DefraDB through a frontend interface, you may be confronted with a CORS error. That is because, by default, DefraDB will not have any allowed origins set. To specify which origins should be allowed to access your DefraDB endpoint, you can specify them when starting the database:
+```shell
+defradb start --allowe-dorigins=https://yourdomain.com
+```
+
+If running a frontend app locally on localhost, allowed origins must be set with the port of the app:
+```shell
+defradb start --allowed-origins=http://localhost:3000
+```
+
+The catch-all `*` is also a valid origin. 
 
 ## Community
 

diff --git a/cli/start.go b/cli/start.go
@@ -154,6 +154,15 @@ func MakeStartCommand(cfg *config.Config) *cobra.Command {
 		log.FeedbackFatalE(context.Background(), "Could not bind api.tls", err)
 	}
 
+	cmd.Flags().StringArray(
+		"allowed-origins", cfg.API.AllowedOrigins,
+		"List of origins to allow for CORS requests",
+	)
+	err = cfg.BindFlag("api.allowed-origins", cmd.Flags().Lookup("allowed-origins"))
+	if err != nil {
+		log.FeedbackFatalE(context.Background(), "Could not bind api.allowed-origins", err)
+	}
+
 	cmd.Flags().String(
 		"pubkeypath", cfg.API.PubKeyPath,
 		"Path to the public key for tls",
@@ -319,6 +328,7 @@ func start(ctx context.Context, cfg *config.Config) (*defraInstance, error) {
 	sOpt := []func(*httpapi.Server){
 		httpapi.WithAddress(cfg.API.Address),
 		httpapi.WithRootDir(cfg.Rootdir),
+		httpapi.WithAllowedOrigins(cfg.API.AllowedOrigins...),
 	}
 
 	if n != nil {

diff --git a/config/config.go b/config/config.go
@@ -287,20 +287,22 @@ func (dbcfg DatastoreConfig) validate() error {
 
 // APIConfig configures the API endpoints.
 type APIConfig struct {
-	Address     string
-	TLS         bool
-	PubKeyPath  string
-	PrivKeyPath string
-	Email       string
+	Address        string
+	TLS            bool
+	AllowedOrigins []string `mapstructure:"allowed-origins"`
+	PubKeyPath     string
+	PrivKeyPath    string
+	Email          string
 }
 
 func defaultAPIConfig() *APIConfig {
 	return &APIConfig{
-		Address:     "localhost:9181",
-		TLS:         false,
-		PubKeyPath:  "certs/server.key",
-		PrivKeyPath: "certs/server.crt",
-		Email:       DefaultAPIEmail,
+		Address:        "localhost:9181",
+		TLS:            false,
+		AllowedOrigins: []string{},
+		PubKeyPath:     "certs/server.key",
+		PrivKeyPath:    "certs/server.crt",
+		Email:          DefaultAPIEmail,
 	}
 }
 

diff --git a/config/configfile_yaml.gotmpl b/config/configfile_yaml.gotmpl
@@ -23,6 +23,8 @@ api:
     address: {{ .API.Address }}
     # Whether the API server should listen over HTTPS
     tls: {{ .API.TLS }}
+    # The list of origins a cross-domain request can be executed from.
+    # allowed-origins: {{ .API.AllowedOrigins }}
     # The path to the public key file. Ignored if domains is set.
     pubkeypath: {{ .API.PubKeyPath }}
     # The path to the private key file. Ignored if domains is set.