Add config options for cors handling (#124)

Add config options for cors handling Co-authored-by: kolaente <k@knt.li> Reviewed-on: https://kolaente.dev/vikunja/api/pulls/124
2020-01-26 19:09:54 +00:00 · 2020-01-26 19:09:54 +00:00 · b2b1546a8f
commit b2b1546a8f
parent 7e9446ea07
4 changed files with 44 additions and 10 deletions
--- a/config.yml.sample
+++ b/config.yml.sample
@ -63,6 +63,15 @@ redis:
  # 0 means default database
  db: 0

+cors:
+  # Whether to enable or disable cors headers.
+  enable: true
+  # A list of origins which may access the api.
+  origins:
+    - *
+  # How long (in seconds) the results of a preflight request can be cached.
+  maxage: 0
+
 mailer:
  # Whether to enable the mailer or not. If it is disabled, all users are enabled right away and password reset is not possible.
  enabled: false
--- a/docs/content/doc/setup/config.md
+++ b/docs/content/doc/setup/config.md
@ -106,6 +106,15 @@ redis:
  # 0 means default database
  db: 0

+cors:
+  # Whether to enable or disable cors headers.
+  enable: true
+  # A list of origins which may access the api.
+  origins:
+    - *
+  # How long (in seconds) the results of a preflight request can be cached.
+  maxage: 0
+
 mailer:
  # Whether to enable the mailer or not. If it is disabled, all users are enabled right away and password reset is not possible.
  enabled: false
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -94,6 +94,10 @@ const (
 	MigrationWunderlistClientID     Key = `migration.wunderlist.clientid`
 	MigrationWunderlistClientSecret Key = `migration.wunderlist.clientsecret`
 	MigrationWunderlistRedirectURL  Key = `migration.wunderlist.redirecturl`
+
+	CorsEnable  Key = `cors.enable`
+	CorsOrigins Key = `cors.origins`
+	CorsMaxAge  Key = `cors.maxage`
 )

 // GetString returns a string config value
@ -121,6 +125,11 @@ func (k Key) GetDuration() time.Duration {
 	return viper.GetDuration(string(k))
 }

+// GetStringSlice returns a string slice from a config option
+func (k Key) GetStringSlice() []string {
+	return viper.GetStringSlice(string(k))
+}
+
 // Set sets a value
 func (k Key) Set(i interface{}) {
 	viper.Set(string(k), i)
@ -205,6 +214,10 @@ func InitDefaultConfig() {
 	// Files
 	FilesBasePath.setDefault("files")
 	FilesMaxSize.setDefault("20MB")
+	// Cors
+	CorsEnable.setDefault(true)
+	CorsOrigins.setDefault([]string{"*"})
+	CorsMaxAge.setDefault(0)
 }

 // InitConfig initializes the config, sets defaults etc.
--- a/pkg/routes/routes.go
+++ b/pkg/routes/routes.go
@ -138,16 +138,19 @@ func RegisterRoutes(e *echo.Echo) {
 	}

 	// CORS_SHIT
-	e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
-		AllowOrigins: []string{"*"},
-		Skipper: func(context echo.Context) bool {
-			// Since it is not possible to register this middleware just for the api group,
-			// we just disable it when for caldav requests.
-			// Caldav requires OPTIONS requests to be answered in a specific manner,
-			// not doing this would break the caldav implementation
-			return strings.HasPrefix(context.Path(), "/dav")
-		},
-	}))
+	if config.CorsEnable.GetBool() {
+		e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
+			AllowOrigins: config.CorsOrigins.GetStringSlice(),
+			MaxAge:       config.CorsMaxAge.GetInt(),
+			Skipper: func(context echo.Context) bool {
+				// Since it is not possible to register this middleware just for the api group,
+				// we just disable it when for caldav requests.
+				// Caldav requires OPTIONS requests to be answered in a specific manner,
+				// not doing this would break the caldav implementation
+				return strings.HasPrefix(context.Path(), "/dav")
+			},
+		}))
+	}

 	// API Routes
 	a := e.Group("/api/v1")