fix cors stategy for Java/NodeJs/Python

[vhvb1989]

fix: #1057

This PR re-designs the CORS strategy for the api service.

There are 2 layers where CORS (allowed-orings) can be configured:

• Infra: The Azure Service takes care of validating the incoming http request and lets only allowed-origins to get to the api server.
• runtime Server. Once the request passes the infra layer, it is received by the server running on the Azure Service and it can also check allowed-origins.

Not every Azure service supports the CORS configuration on infra layer. For example, Azure Container Apps does not support the CORS configuration on infra layer.

Old stategy

• Use CORS on infra layer if supported (web-apps) and do not add CORS on runtime server
• Use CORS on runtime server when it is not supported on infra layer, like Azure container apps.
  • Use web-client url as value for REACT_APP_WEB_BASE_URL which is used by the api server as a valid origin.
• Allow all origins when the application is running locally (not in Azure services)

Old strategy issues

• Wrong detection for running api service locally v/s running on Azure Service.

New Strategy

• Make api service to configure CORS by default and expose an env var to allow customers to opt-out and allow all origins on demand:
  • Using API_ENVIRONMENT=develop makes application to allow all origins on runtime server layer.
  • Update tasks.json and lauch.json to set this env var when lauching the app locally, so CORS is disabled.
  • Document env var in the app Readme for customers who are not using VSCode task to start the api, so they know how to allow all origins.
• Expose env var: API_ALLOW_ORIGINS as a way for customers to define a list of allowed origins for the runtime service layer.
  • Set API_ALLOW_ORIGINS to include the web client host url when deploying the infrastructure, this values is then used by the runtime server to allow the web client as origin.

Notes

• If the Azure service supports CORS, the validation will be done by the infra layer and also by the application layer.
• The application can run locally with CORS enabled and customer can define specific list of allowed origins.
• For templates using Azure Functions:
  • CORS is only configured on the infra layer
  • As the solution is serverless, there is not a runtime server configured and serving the api backend.
  • On every request to Azure Functions, the api-backend is started to dispatch the request without using a server like tomcat for java or uvicorn in python. Hence, there's no layer to configure cors.

[azure-sdk]

Repoman Generation Results

Repoman pushed changes to remotes for the following projects:

Project: todo-csharp-cosmos-sql

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-csharp-cosmos-sql -b pr/2001

View Changes | Compare Changes

---

Project: todo-csharp-sql-swa-func

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-csharp-sql-swa-func -b pr/2001

View Changes | Compare Changes

---

Project: todo-csharp-sql

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-csharp-sql -b pr/2001

View Changes | Compare Changes

---

Project: todo-java-mongo-aca

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-java-mongo-aca -b pr/2001

View Changes | Compare Changes

---

Project: todo-java-mongo

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-java-mongo -b pr/2001

View Changes | Compare Changes

---

Project: todo-nodejs-mongo-aca

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-nodejs-mongo-aca -b pr/2001

View Changes | Compare Changes

---

Project: todo-nodejs-mongo-aks

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-nodejs-mongo-aks -b pr/2001

View Changes | Compare Changes

---

Project: todo-nodejs-mongo-swa-func

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-nodejs-mongo-swa-func -b pr/2001

View Changes | Compare Changes

---

Project: todo-nodejs-mongo

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-nodejs-mongo -b pr/2001

View Changes | Compare Changes

---

Project: todo-nodejs-mongo-terraform

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-nodejs-mongo-terraform -b pr/2001

View Changes | Compare Changes

---

Project: todo-python-mongo-aca

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-python-mongo-aca -b pr/2001

View Changes | Compare Changes

---

Project: todo-python-mongo-swa-func

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-python-mongo-swa-func -b pr/2001

View Changes | Compare Changes

---

Project: todo-python-mongo

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-python-mongo -b pr/2001

View Changes | Compare Changes

---

Project: todo-python-mongo-terraform

Remote: azure-samples-staging

Branch: pr/2001

You can initialize this project with:

azd init -t Azure-Samples/todo-python-mongo-terraform -b pr/2001

View Changes | Compare Changes

---

[hemarina]

LGTM. Thanks for the great work and the fix! I just have a few comments.