feat: Add allowed origins config #1408
Conversation
fredcarle
added
area/api
My vote would be for the opposite, and have it locked down by default. Forgetting (or not knowing about this) could be an expensive mistake. I also think that locked down by default is the norm (I remember having to mess with stuff like this a few times to enable CORS, but never to block it). |
Codecov Report
@@ Coverage Diff @@
## develop #1408 +/- ##
===========================================
- Coverage 72.07% 72.02% -0.05%
===========================================
Files 185 185
Lines 18175 18185 +10
===========================================
- Hits 13099 13098 -1
- Misses 4043 4049 +6
- Partials 1033 1038 +5
|
I'm happy with that 👍 |
README.md
Outdated
|
|
||
| When accessing DefraDB through a frontend interface, you may be confronted with a CORS error. That is because, by default, DefraDB will not have any allowed origins set. To specify which origins should be allowed to access your DefraDB endpoint, you can specify them when starting the database: | ||
| ```shell | ||
| defradb start --allowedorigins=https://yourdomain.com |
There was a problem hiding this comment.
suggestion:
How about just origins. Mostly because we don't have a blockedorigins or any other option like that. Also allowedorigins is less readable, perhaps allowedOrigins if you want to stick with the "allowed" word.
| defradb start --allowedorigins=https://yourdomain.com | |
| defradb start --origins=https://yourdomain.com |
There was a problem hiding this comment.
The thing with --origins is that it's a little vague and the http header is called With-Allowed-Origins. I feel like it makes more sense to have almost the full representation here as well. allowedOrigins could be nicer.
There was a problem hiding this comment.
nitpick: I have a very minor preference for allowed-origins, but only if it we dont already camel case any other existing multi-word params/flags
There was a problem hiding this comment.
I do like allowed-origins, would prefer that over allowedOrigins
There was a problem hiding this comment.
one idea is corsdomain, and perhaps alternatively using --api.corsdomain or http.corsdomain depending on which top-level key we want to represent the http system.
when determining defradb's parameters, we have to keep in mind that they have three points of determination: environment variables, config file, CLI command.
There was a problem hiding this comment.
I'd rather we stay closer to what it represents. allowed-origins is quite good.
There was a problem hiding this comment.
so the fully qualified key from the config's perspective would be api.allowed-origins, so perhaps it can be --allowed-origins in the CLI but as an env. variable it would be DEFRA_API_ALLOWED_ORIGINS perhaps. i'm not sure yet about if it's necessary to quote such a key with a - in Yaml - it might have to be
[api]
"allowed-origins": ...There was a problem hiding this comment.
I don't think it is according to what I see here https://www.cloudbees.com/blog/yaml-tutorial-everything-you-need-get-started
fredcarle
force-pushed
the
fredcarle/feat/I1355-allowed-origin-config
branch
from
7f57249
to
78e3de1
Compare
## Relevant issue(s) Resolves sourcenetwork#1355 ## Description This PR adds the option to set allowed origins for the HTTP API using the config file or a CLI flag.
Relevant issue(s)
Resolves #1355
Description
This PR adds the option to set allowed origins for the HTTP API using the config file or a CLI flag.
Tasks
How has this been tested?
Unit tests and curl with allowedOrigins set to http://test.com
Specify the platform(s) on which this was tested: