feat: implement CORS configuration and handling#243
Conversation
- Added CORS support to the API by introducing a new CorsConfig struct to manage allowed origins and wildcard suffixes. - Implemented is_origin_allowed function to validate incoming requests against the CORS configuration. - Integrated CORS layer into the application router to handle preflight requests and specify allowed methods and headers. - Updated tests to verify CORS functionality, including exact matches, localhost, and wildcard suffixes. - Modified ApiConfig to include CORS settings, ensuring they can be configured via environment variables.
PierreLeGuen
requested review from
Evrard-Nil,
henrypark133,
nickpismenkov and
think-in-universe
PierreLeGuen
had a problem deploying
to
Cloud API test env
GitHub Actions
Failure
PierreLeGuen
temporarily deployed
to
Cloud API test env
GitHub Actions
Inactive
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on January 9
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| if remainder.is_empty() || remainder.starts_with(':') { | ||
| return true; | ||
| } | ||
| } |
There was a problem hiding this comment.
Bug: Localhost CORS bypass is hardcoded and cannot be disabled
The is_origin_allowed function unconditionally allows http://localhost and http://127.0.0.1 origins regardless of the CorsConfig settings. This means in production environments, any local web server can make CORS requests to the API, which could be exploited by malware or malicious local processes. This bypass cannot be disabled through configuration, making it impossible to secure the API against local origin attacks in production.
2 participants
Note
Adds env-driven
CorsConfigand enforces CORS viaCorsLayerwith predicate-based origin checks, plus comprehensive tests.config::CorsConfigwithexact_matchesandwildcard_suffixes; default parsesCORS_ALLOWED_ORIGINS(supports*.domain,*-suffix).config::ApiConfigwithcors: CorsConfigand update test configs to include it.is_origin_allowedto validate origins (exact matches;http://localhost[:port],http://127.0.0.1[:port];https://with allowed suffixes).tower_http::cors::CorsLayerusingAllowOrigin::predicateinbuild_app_with_config; allow and exposeAnymethods/headers.CorsConfigvariants and whitespace/empty entries.Written by Cursor Bugbot for commit d8bca65. This will update automatically on new commits. Configure here.