From 4a46da6cc63d1223fea505c818fd84fdc9207211 Mon Sep 17 00:00:00 2001 From: Zach Hayes Date: Thu, 12 Mar 2026 15:18:13 -0700 Subject: [PATCH 1/5] setup CORS for extension --- go.mod | 1 + go.sum | 2 ++ server/server.go | 11 +++++++++++ 3 files changed, 14 insertions(+) diff --git a/go.mod b/go.mod index 09b7aa8..c236b46 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ toolchain go1.24.7 require ( github.com/go-chi/chi/v5 v5.2.4 + github.com/go-chi/cors v1.2.2 github.com/go-chi/render v1.0.3 github.com/go-viper/mapstructure/v2 v2.4.0 github.com/google/go-cmp v0.7.0 diff --git a/go.sum b/go.sum index bdf6158..ae82bf0 100644 --- a/go.sum +++ b/go.sum @@ -9,6 +9,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/go-chi/chi/v5 v5.2.4 h1:WtFKPHwlywe8Srng8j2BhOD9312j9cGUxG1SP4V2cR4= github.com/go-chi/chi/v5 v5.2.4/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0= +github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE= +github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58= github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4= github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0= github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= diff --git a/server/server.go b/server/server.go index 56eda66..44b6fbc 100644 --- a/server/server.go +++ b/server/server.go @@ -10,6 +10,7 @@ import ( "github.com/go-chi/chi/v5" "github.com/go-chi/chi/v5/middleware" + "github.com/go-chi/cors" ) type Server struct { @@ -19,6 +20,16 @@ type Server struct { func New(cfg config.Config, factory repository.Factory) (*Server, error) { r := chi.NewRouter() + r.Use(cors.Handler(cors.Options{ + AllowedOrigins: []string{ + "chrome-extension://jjicbefpemnphinccgikpdaagjebbnhg", + }, + AllowedMethods: []string{"GET", "OPTIONS"}, + AllowedHeaders: []string{"Accept", "Content-Type"}, + AllowCredentials: true, + MaxAge: 300, + })) + r.Use(middleware.Recoverer) r.Use(middleware.RequestID) r.Use(middleware.RealIP) From 29744d497aec6653537feb963d0b4bd7e9a108d4 Mon Sep 17 00:00:00 2001 From: Zach Hayes Date: Fri, 13 Mar 2026 13:20:59 -0700 Subject: [PATCH 2/5] allow firefox extension in cors --- config/config.go | 3 ++- server/server.go | 20 ++++++++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/config/config.go b/config/config.go index 20ba274..9a26be2 100644 --- a/config/config.go +++ b/config/config.go @@ -25,7 +25,8 @@ type Config struct { } HTTP struct { - Port string + Port string + AllowedOrigins []string } Environment constants.Environment diff --git a/server/server.go b/server/server.go index 44b6fbc..4aa2a26 100644 --- a/server/server.go +++ b/server/server.go @@ -2,6 +2,8 @@ package server import ( "net/http" + "regexp" + "strings" "reverse-watch/api" "reverse-watch/config" @@ -21,8 +23,22 @@ func New(cfg config.Config, factory repository.Factory) (*Server, error) { r := chi.NewRouter() r.Use(cors.Handler(cors.Options{ - AllowedOrigins: []string{ - "chrome-extension://jjicbefpemnphinccgikpdaagjebbnhg", + AllowOriginFunc: func(r *http.Request, origin string) bool { + for _, allowedOrigin := range cfg.HTTP.AllowedOrigins { + if allowedOrigin == origin { + return true + } + } + + // Firefox extension IDs are randomly generated for each user. + // Therefore, we're scoping requests made from Firefox extensions to specific endpoints only. + firefoxExtensionOrigin := regexp.MustCompile("moz-extension://[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}") + if firefoxExtensionOrigin.MatchString(origin) { + if strings.Contains(r.RequestURI, "/api/v1/users") { + return true + } + } + return false }, AllowedMethods: []string{"GET", "OPTIONS"}, AllowedHeaders: []string{"Accept", "Content-Type"}, From 722b7ae5665d993e7b197b116b6b56284e3169d7 Mon Sep 17 00:00:00 2001 From: Zach Hayes Date: Fri, 13 Mar 2026 13:39:16 -0700 Subject: [PATCH 3/5] address comments --- server/server.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server/server.go b/server/server.go index 4aa2a26..7568ad8 100644 --- a/server/server.go +++ b/server/server.go @@ -22,6 +22,8 @@ type Server struct { func New(cfg config.Config, factory repository.Factory) (*Server, error) { r := chi.NewRouter() + firefoxExtensionOrigin := regexp.MustCompile("^moz-extension://[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$") + r.Use(cors.Handler(cors.Options{ AllowOriginFunc: func(r *http.Request, origin string) bool { for _, allowedOrigin := range cfg.HTTP.AllowedOrigins { @@ -32,9 +34,8 @@ func New(cfg config.Config, factory repository.Factory) (*Server, error) { // Firefox extension IDs are randomly generated for each user. // Therefore, we're scoping requests made from Firefox extensions to specific endpoints only. - firefoxExtensionOrigin := regexp.MustCompile("moz-extension://[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}") if firefoxExtensionOrigin.MatchString(origin) { - if strings.Contains(r.RequestURI, "/api/v1/users") { + if strings.HasPrefix(r.RequestURI, "/api/v1/users/") { return true } } From ab5c61c0d330809a578fb5dab14609e8525b9840 Mon Sep 17 00:00:00 2001 From: Zach Hayes Date: Mon, 16 Mar 2026 11:36:45 -0700 Subject: [PATCH 4/5] config option to allow firefox extensions --- config/config.go | 6 ++++-- server/server.go | 12 +++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/config/config.go b/config/config.go index 9a26be2..e7ab6bc 100644 --- a/config/config.go +++ b/config/config.go @@ -25,8 +25,9 @@ type Config struct { } HTTP struct { - Port string - AllowedOrigins []string + Port string + AllowedOrigins []string + AllowFirefoxExtensions bool } Environment constants.Environment @@ -75,6 +76,7 @@ func load() Config { v.SetDefault("Database.PrivateDBName", "private") v.SetDefault("Database.PublicDBName", "public") v.SetDefault("HTTP.Port", "80") + v.SetDefault("HTTP.AllowFirefoxExtensions", false) v.SetDefault("Environment", constants.EnvironmentDevelopment) v.SetDefault("TrustProxy", false) v.SetDefault("Ingestors.CSFloat.Enable", false) diff --git a/server/server.go b/server/server.go index 8df923e..5f5a85b 100644 --- a/server/server.go +++ b/server/server.go @@ -32,11 +32,13 @@ func New(cfg config.Config, factory repository.Factory) (*Server, error) { } } - // Firefox extension IDs are randomly generated for each user. - // Therefore, we're scoping requests made from Firefox extensions to specific endpoints only. - if firefoxExtensionOrigin.MatchString(origin) { - if strings.HasPrefix(r.RequestURI, "/api/v1/users/") { - return true + if cfg.HTTP.AllowFirefoxExtensions { + // Firefox extension IDs are randomly generated for each user. + // Therefore, we're scoping requests made from Firefox extensions to specific endpoints only. + if firefoxExtensionOrigin.MatchString(origin) { + if strings.HasPrefix(r.RequestURI, "/api/v1/users/") { + return true + } } } return false From 16683bc6ab462e9f93d9500b37256d87b54b63b1 Mon Sep 17 00:00:00 2001 From: Zach Hayes Date: Mon, 16 Mar 2026 11:51:19 -0700 Subject: [PATCH 5/5] add BindEnv for AllowedOrigins --- config/config.go | 1 + 1 file changed, 1 insertion(+) diff --git a/config/config.go b/config/config.go index e7ab6bc..276bdfb 100644 --- a/config/config.go +++ b/config/config.go @@ -83,6 +83,7 @@ func load() Config { v.SetDefault("Ingestors.CSFloat.BaseURL", "https://csfloat.com") // Need to register environment variables if defaults aren't set + v.BindEnv("HTTP.AllowedOrigins") v.BindEnv("Ingestors.CSFloat.SecretKey") // Try to find the root directory, but don't panic if it fails since go.mod doesn't exist in production