feat: allow configuration of cors domains and credentials (#159)

cmd/serve.go

@@ -39,6 +39,8 @@ const (
 	postgresMigrationsSourceFlag = "postgres-migrations-source"
 	fastlyServiceFlag            = "fastly-service"
 	fastlyKeyFlag                = "fastly-key"
+	corsAllowOriginsFlag				 = "cors-allow-origins"
+	corsAllowCredentialsFlag		 = "cors-allow-credentials"
 )
 
 func ginLogger(logger *logrus.Logger) gin.HandlerFunc {
@@ -82,6 +84,8 @@ func getGin(
 	trustedProxies []string,
 	logger *logrus.Logger,
 	debug bool,
+	corsAllowOrigins []string,
+	corsAllowCredentials bool,
 ) (*gin.Engine, error) {
 	if !debug {
 		gin.SetMode(gin.ReleaseMode)
@@ -107,7 +111,7 @@ func getGin(
 		middlewares = append(middlewares, fastly.New(fastlyService, viper.GetString(fastlyKeyFlag), logger))
 	}
 
-	return ctrl.SetupRouter(trustedProxies, apiRootPrefix, middlewares...) //nolint: wrapcheck
+	return ctrl.SetupRouter(trustedProxies, apiRootPrefix, corsAllowOrigins, corsAllowCredentials, middlewares...) //nolint: wrapcheck
 }
 
 func getMetadataStorage(endpoint string) *metadata.Hasura {
@@ -214,6 +218,11 @@ func init() {
 		addStringFlag(serveCmd.Flags(), fastlyServiceFlag, "", "Enable Fastly middleware and enable automated purges")
 		addStringFlag(serveCmd.Flags(), fastlyKeyFlag, "", "Fastly CDN Key to authenticate purges")
 	}
+
+	{
+		addStringArrayFlag(serveCmd.Flags(), corsAllowOriginsFlag, []string{"*"}, "CORS allow origins")
+		addBoolFlag(serveCmd.Flags(), corsAllowCredentialsFlag, false, "CORS allow credentials")
+	}
 }
 
 var serveCmd = &cobra.Command{
@@ -282,6 +291,8 @@ var serveCmd = &cobra.Command{
 			viper.GetStringSlice(trustedProxiesFlag),
 			logger,
 			viper.GetBool(debugFlag),
+			viper.GetStringSlice(corsAllowOriginsFlag),
+			viper.GetBool(corsAllowCredentialsFlag),
 		)
 		cobra.CheckErr(err)
 

controller/controller.go

@@ -111,7 +111,11 @@ func New(
 }
 
 func (ctrl *Controller) SetupRouter(
-	trustedProxies []string, apiRootPrefix string, middleware ...gin.HandlerFunc,
+	trustedProxies []string,
+	apiRootPrefix string,
+	corsOrigins []string,
+	corsAllowCredentials bool,
+	middleware ...gin.HandlerFunc,
 ) (*gin.Engine, error) {
 	router := gin.New()
 	if err := router.SetTrustedProxies(trustedProxies); err != nil {
@@ -126,20 +130,25 @@ func (ctrl *Controller) SetupRouter(
 		router.Use(mw)
 	}
 
-	router.Use(cors.New(cors.Config{
-		AllowOrigins: []string{"*"},
+	corsConfig := cors.Config{
+		AllowOrigins: corsOrigins,
 		AllowMethods: []string{"GET", "PUT", "POST", "HEAD", "DELETE"},
 		AllowHeaders: []string{
 			"Authorization", "Origin", "if-match", "if-none-match", "if-modified-since", "if-unmodified-since",
 			"x-hasura-admin-secret", "x-nhost-bucket-id", "x-nhost-file-name", "x-nhost-file-id",
 			"x-hasura-role",
 		},
-		// AllowWildcard: true,
 		ExposeHeaders: []string{
 			"Content-Length", "Content-Type", "Cache-Control", "ETag", "Last-Modified", "X-Error",
 		},
 		MaxAge: 12 * time.Hour, //nolint: gomnd
-	}))
+	}
+
+	if corsAllowCredentials {
+		corsConfig.AllowCredentials = true
+	}
+
+	router.Use(cors.New(corsConfig))
 
 	router.GET("/healthz", ctrl.Health)
 

controller/delete_broken_metadata_test.go

@@ -103,7 +103,7 @@ func TestDeleteBrokenMetadata(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			responseRecorder := httptest.NewRecorder()
 

controller/delete_file_test.go

@@ -53,7 +53,7 @@ func TestDeleteFile(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			responseRecorder := httptest.NewRecorder()
 

controller/delete_orphans_test.go

@@ -75,7 +75,7 @@ func TestDeleteOrphans(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			responseRecorder := httptest.NewRecorder()
 

controller/get_file_information_test.go

@@ -146,7 +146,7 @@ func TestGetFileInfo(t *testing.T) {
 				logger,
 			)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			responseRecorder := httptest.NewRecorder()
 

controller/get_file_presigned_url_test.go

@@ -92,7 +92,7 @@ func TestGetFilePresignedURL(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			responseRecorder := httptest.NewRecorder()
 

controller/get_file_test.go

@@ -78,7 +78,7 @@ func TestGetFile(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			responseRecorder := httptest.NewRecorder()
 

controller/list_broken_metadata_test.go

@@ -96,7 +96,7 @@ func TestListBrokenMetadata(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			responseRecorder := httptest.NewRecorder()
 

controller/list_not_uploaded_test.go

@@ -84,7 +84,7 @@ func TestListNotUploaded(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			responseRecorder := httptest.NewRecorder()
 

controller/list_orphans_test.go

@@ -73,7 +73,7 @@ func TestListOrphans(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			responseRecorder := httptest.NewRecorder()
 

controller/update_file_test.go

@@ -148,7 +148,7 @@ func TestUpdateFile(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			body, contentType := createUpdateMultiForm(t, file)
 

controller/upload_file_test.go

@@ -231,7 +231,7 @@ func TestUploadFile(t *testing.T) {
 
 			ctrl := controller.New("http://asd", "/v1", "asdasd", metadataStorage, contentStorage, nil, logger)
 
-			router, _ := ctrl.SetupRouter(nil, "/v1", ginLogger(logger))
+			router, _ := ctrl.SetupRouter(nil, "/v1", []string{"*"}, false, ginLogger(logger))
 
 			body, contentType := createMultiForm(t, files...)