From b2b1546a8f968ad3da8ae8322c0ed85f86dbf647 Mon Sep 17 00:00:00 2001 From: konrad Date: Sun, 26 Jan 2020 19:09:54 +0000 Subject: [PATCH] Add config options for cors handling (#124) Add config options for cors handling Co-authored-by: kolaente Reviewed-on: https://kolaente.dev/vikunja/api/pulls/124 --- config.yml.sample | 9 +++++++++ docs/content/doc/setup/config.md | 9 +++++++++ pkg/config/config.go | 13 +++++++++++++ pkg/routes/routes.go | 23 +++++++++++++---------- 4 files changed, 44 insertions(+), 10 deletions(-) diff --git a/config.yml.sample b/config.yml.sample index 29f518d506c..f19dc85dbe6 100644 --- a/config.yml.sample +++ b/config.yml.sample @@ -63,6 +63,15 @@ redis: # 0 means default database db: 0 +cors: + # Whether to enable or disable cors headers. + enable: true + # A list of origins which may access the api. + origins: + - * + # How long (in seconds) the results of a preflight request can be cached. + maxage: 0 + mailer: # Whether to enable the mailer or not. If it is disabled, all users are enabled right away and password reset is not possible. enabled: false diff --git a/docs/content/doc/setup/config.md b/docs/content/doc/setup/config.md index a61931d84da..33ce79c4e16 100644 --- a/docs/content/doc/setup/config.md +++ b/docs/content/doc/setup/config.md @@ -106,6 +106,15 @@ redis: # 0 means default database db: 0 +cors: + # Whether to enable or disable cors headers. + enable: true + # A list of origins which may access the api. + origins: + - * + # How long (in seconds) the results of a preflight request can be cached. + maxage: 0 + mailer: # Whether to enable the mailer or not. If it is disabled, all users are enabled right away and password reset is not possible. enabled: false diff --git a/pkg/config/config.go b/pkg/config/config.go index a695ce194e8..27f68361946 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -94,6 +94,10 @@ const ( MigrationWunderlistClientID Key = `migration.wunderlist.clientid` MigrationWunderlistClientSecret Key = `migration.wunderlist.clientsecret` MigrationWunderlistRedirectURL Key = `migration.wunderlist.redirecturl` + + CorsEnable Key = `cors.enable` + CorsOrigins Key = `cors.origins` + CorsMaxAge Key = `cors.maxage` ) // GetString returns a string config value @@ -121,6 +125,11 @@ func (k Key) GetDuration() time.Duration { return viper.GetDuration(string(k)) } +// GetStringSlice returns a string slice from a config option +func (k Key) GetStringSlice() []string { + return viper.GetStringSlice(string(k)) +} + // Set sets a value func (k Key) Set(i interface{}) { viper.Set(string(k), i) @@ -205,6 +214,10 @@ func InitDefaultConfig() { // Files FilesBasePath.setDefault("files") FilesMaxSize.setDefault("20MB") + // Cors + CorsEnable.setDefault(true) + CorsOrigins.setDefault([]string{"*"}) + CorsMaxAge.setDefault(0) } // InitConfig initializes the config, sets defaults etc. diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go index 6facec41995..b3d8ef11400 100644 --- a/pkg/routes/routes.go +++ b/pkg/routes/routes.go @@ -138,16 +138,19 @@ func RegisterRoutes(e *echo.Echo) { } // CORS_SHIT - e.Use(middleware.CORSWithConfig(middleware.CORSConfig{ - AllowOrigins: []string{"*"}, - Skipper: func(context echo.Context) bool { - // Since it is not possible to register this middleware just for the api group, - // we just disable it when for caldav requests. - // Caldav requires OPTIONS requests to be answered in a specific manner, - // not doing this would break the caldav implementation - return strings.HasPrefix(context.Path(), "/dav") - }, - })) + if config.CorsEnable.GetBool() { + e.Use(middleware.CORSWithConfig(middleware.CORSConfig{ + AllowOrigins: config.CorsOrigins.GetStringSlice(), + MaxAge: config.CorsMaxAge.GetInt(), + Skipper: func(context echo.Context) bool { + // Since it is not possible to register this middleware just for the api group, + // we just disable it when for caldav requests. + // Caldav requires OPTIONS requests to be answered in a specific manner, + // not doing this would break the caldav implementation + return strings.HasPrefix(context.Path(), "/dav") + }, + })) + } // API Routes a := e.Group("/api/v1")