[SUP-27] cors config updates

[mayberryzane]

Summary

• Highlight doesn't use credentials for public graph requests, but we should not allow credentials in case this changes in future
• move cors configs within the public and private routers only - I don't think it's necessary to use cors on other routes (/health, /otel) and we should probably have separate public/private configs for hobby deploys too rather than using a single one for the All runtime - @Vadman97 can you confirm this last bullet point?

How did you test this change?

• clicktested locally to confirm functionality was working properly, tested cross-origin requests

Are there any deployment considerations?

• no

Does this work require review from our design team?

• no

[linear]

SUP-27 cors should not allow CORS credentials for public / all graph

[changeset-bot]

⚠️ No Changeset found

Latest commit: 00dfc4a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

💥 An error occurred when fetching the changed packages and changesets in this PR

Some errors occurred when validating the changesets config:
The package or glob expression "rrdom" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.
The package or glob expression "rrdom-nodejs" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.
The package or glob expression "rrweb" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.
The package or glob expression "rrweb-player" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.
The package or glob expression "rrweb-snapshot" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.
The package or glob expression "@rrweb/types" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.
The package or glob expression "@rrweb/web-extension" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.
The package or glob expression "rrvideo" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.

[greptile-apps]

Pull Request Summary

• Updated CORS Configuration: Separated CORS settings for public and private routes to enhance security and prevent credentials from being allowed in public graph requests.
• Scoped CORS Configurations: Moved CORS configurations within the public and private routers only, excluding routes like /health and /otel.

Notes

• Security Enhancement: Ensures future-proofing by not allowing credentials for public graph requests.
• Code Reuse Opportunity: Consider centralizing CORS configuration logic to avoid duplication and ensure consistency across different environments.

[ccschmitz]

I know you had an open question out for @Vadman97, but this looks good to me!

[Vadman97]

we should probably have separate public/private configs for hobby deploys too rather than using a single one for the All runtime?

yeah, we can detect the hobby deploy via the util.IsInDocker() check, split out the configs and then use the REACT_APP_PRIVATE_GRAPH_URI and REACT_APP_PUBLIC_GRAPH_URI values for the respective origin checks. with the normal hobby deploy tho, the private and public graphs run together, but assuming the runtime flag is used we should use the corresponding origin