feat: allow configuration of cors domains and credentials

[jhleao]

Description

Problem

For applications that use cookie-based auth, CORS domain wildcards are not allowed. Need to specify explicit domains instead. Plus, Access-Control-Allow-Credentials must be set to true.

Solution

This makes CORS domains optionally configurable via CORS_ALLOW_ORIGINS, same for Access-Control-Allow-Credentials via CORS_ALLOW_CREDENTIALS. If no configuration is specified, current behavior is kept.

[dbarrosop]

Thanks for the PR. However, we need to slightly change the implementation:

1. Instead or reading directly from env vars, use command flags (i.e. cors-allow-origins), defaulting to the current value *.
2. Pass the value of the resolved flags from cmd down to SetupRouter

Thanks again for the contribution.

[dbarrosop]

Thanks! Looks good to me but tests need to be fixed, I think you just need to pass the new parameters to SetupRouter in the tests that use it.

[jhleao]

@dbarrosop I couldn't get these tests to pass locally... But I believe the problem to be on my dev environment. Can you trigger CI again?

[dbarrosop]

Nice! Thanks a lot for the contribution.