diff --git a/README.md b/README.md index 9f9cf2c25..dabcbcbcb 100644 --- a/README.md +++ b/README.md @@ -199,6 +199,31 @@ http: # Make sure to use https:// if you are using TLS. public_url: "http://localhost:23232" + # The cross-origin request security options + cors: + # The allowed cross-origin headers + allowed_headers: + - Accept + - Accept-Language + - Content-Language + - Origin + # - Content-Type + # - X-Requested-With + # - User-Agent + # - Authorization + + # The allowed cross-origin URLs + # allowed_origins: + # - * + + # The allowed cross-origin methods + allowed_methods: + - GET + - HEAD + - POST + # - PUT + # - OPTIONS + # The database configuration. db: # The database driver to use. diff --git a/pkg/config/config.go b/pkg/config/config.go index 103598a66..52b0194c5 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -55,6 +55,15 @@ type GitConfig struct { MaxConnections int `env:"MAX_CONNECTIONS" yaml:"max_connections"` } +// CORSConfig is the CORS configuration for the server. +type CORSConfig struct { + AllowedHeaders []string `env:"ALLOWED_HEADERS" yaml:"allowed_headers"` + + AllowedOrigins []string `env:"ALLOWED_ORIGINS" yaml:"allowed_origins"` + + AllowedMethods []string `env:"ALLOWED_METHODS" yaml:"allowed_methods"` +} + // HTTPConfig is the HTTP configuration for the server. type HTTPConfig struct { // ListenAddr is the address on which the HTTP server will listen. @@ -68,6 +77,9 @@ type HTTPConfig struct { // PublicURL is the public URL of the HTTP server. PublicURL string `env:"PUBLIC_URL" yaml:"public_url"` + + // HTTP is the configuration for the HTTP server. + CORS CORSConfig `envPrefix:"CORS_" yaml:"cors"` } // StatsConfig is the configuration for the stats server. @@ -180,6 +192,9 @@ func (c *Config) Environ() []string { fmt.Sprintf("SOFT_SERVE_HTTP_TLS_KEY_PATH=%s", c.HTTP.TLSKeyPath), fmt.Sprintf("SOFT_SERVE_HTTP_TLS_CERT_PATH=%s", c.HTTP.TLSCertPath), fmt.Sprintf("SOFT_SERVE_HTTP_PUBLIC_URL=%s", c.HTTP.PublicURL), + fmt.Sprintf("SOFT_SERVE_HTTP_CORS_ALLOWED_HEADERS=%s", strings.Join(c.HTTP.CORS.AllowedHeaders, "\n")), + fmt.Sprintf("SOFT_SERVE_HTTP_CORS_ALLOWED_ORIGINS=%s", strings.Join(c.HTTP.CORS.AllowedOrigins, "\n")), + fmt.Sprintf("SOFT_SERVE_HTTP_CORS_ALLOWED_METHODS=%s", strings.Join(c.HTTP.CORS.AllowedMethods, "\n")), fmt.Sprintf("SOFT_SERVE_STATS_LISTEN_ADDR=%s", c.Stats.ListenAddr), fmt.Sprintf("SOFT_SERVE_LOG_FORMAT=%s", c.Log.Format), fmt.Sprintf("SOFT_SERVE_LOG_TIME_FORMAT=%s", c.Log.TimeFormat), diff --git a/pkg/web/server.go b/pkg/web/server.go index 74a04f5b1..ab336e89a 100644 --- a/pkg/web/server.go +++ b/pkg/web/server.go @@ -5,6 +5,7 @@ import ( "net/http" "github.com/charmbracelet/log" + "github.com/charmbracelet/soft-serve/pkg/config" "github.com/gorilla/handlers" "github.com/gorilla/mux" ) @@ -26,5 +27,12 @@ func NewRouter(ctx context.Context) http.Handler { h = handlers.CompressHandler(h) h = handlers.RecoveryHandler()(h) + cfg := config.FromContext(ctx) + + h = handlers.CORS(handlers.AllowedHeaders(cfg.HTTP.CORS.AllowedHeaders), + handlers.AllowedOrigins(cfg.HTTP.CORS.AllowedOrigins), + handlers.AllowedMethods(cfg.HTTP.CORS.AllowedMethods), + )(h) + return h }