From 541c8bee184568b4df6b10f78430cfbaa3e04015 Mon Sep 17 00:00:00 2001
From: Raimundo Herrera <rjherrera@uc.cl>
Date: Mon, 17 Feb 2020 10:29:40 -0300
Subject: [PATCH] feat(cors): use safer api/public-only CORS configuration
 closes #202

---
 CHANGELOG.md                       | 1 +
 lib/potassium/recipes/rack_cors.rb | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a92599cb..7a260adb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ Features:
   - Update ruby to 2.7.0 [#264](https://github.com/platanus/potassium/pull/264)
   - Add tailwindcss [#266](https://github.com/platanus/potassium/pull/266)
   - Update rack-cors to 1.1 [#269](https://github.com/platanus/potassium/pull/269)
+  - Use safer CORS configuration exposing only API and public resources [#271](https://github.com/platanus/potassium/pull/271)
 
 Fix:
   - Correctly use cache for bundle dependencies in CircleCI build [#244](https://github.com/platanus/potassium/pull/244) and [#258](https://github.com/platanus/potassium/pull/258)
diff --git a/lib/potassium/recipes/rack_cors.rb b/lib/potassium/recipes/rack_cors.rb
index 7de8b589..19341aa8 100644
--- a/lib/potassium/recipes/rack_cors.rb
+++ b/lib/potassium/recipes/rack_cors.rb
@@ -16,10 +16,11 @@ def rack_cors_config
       config.middleware.insert_before 0, Rack::Cors do
         allow do
           origins '*'
-          resource '*',
+          resource '/public/*', headers: :any, methods: :get
+          resource '/api/*',
             headers: :any,
             expose: ['X-Page', 'X-PageTotal'],
-            methods: [:get, :post, :delete, :put, :options]
+            methods: [:get, :post, :patch, :put, :options]
         end
       end