feat: add config to specify CORS origins

Author: taimoorzaeem

CHANGELOG.md

@@ -13,6 +13,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
  - #2698, Add config `jwt-cache-max-lifetime` and implement JWT caching - @taimoorzaeem
  - #2943, Add `handling=strict/lenient` for Prefer header - @taimoorzaeem
  - #2983, Add more data to `Server-Timing` header - @develop7
+ - #2441, Add config `cors-allowed-origins` to specify CORS origins - @taimoorzaeem
 
 ### Fixed
 

src/PostgREST/App.hs

@@ -110,7 +110,7 @@ serverSettings AppConfig{..} =
 postgrest :: AppConfig -> AppState.AppState -> IO () -> Wai.Application
 postgrest conf appState connWorker =
   traceHeaderMiddleware conf .
-  Cors.middleware .
+  Cors.middleware (configCorsAllowedOrigins conf) .
   Auth.middleware appState .
   Logger.middleware (configLogLevel conf) $
     -- fromJust can be used, because the auth middleware will **always** add

src/PostgREST/CLI.hs

@@ -126,6 +126,9 @@ exampleConfigFile =
   [str|## Admin server used for checks. It's disabled by default unless a port is specified.
       |# admin-server-port = 3001
       |
+      |## Configurable CORS origins
+      |# cors-allowed-origins = "*"
+      |
       |## The database role to use when no client authentication is provided
       |# db-anon-role = "anon"
       |

src/PostgREST/Config.hs

@@ -70,6 +70,7 @@ import Protolude hiding (Proxy, toList)
 
 data AppConfig = AppConfig
   { configAppSettings              :: [(Text, Text)]
+  , configCorsAllowedOrigins       :: Maybe [Text]
   , configDbAnonRole               :: Maybe BS.ByteString
   , configDbChannel                :: Text
   , configDbChannelEnabled         :: Bool
@@ -139,7 +140,8 @@ toText conf =
   where
     -- apply conf to all pgrst settings
     pgrstSettings = (\(k, v) -> (k, v conf)) <$>
-      [("db-anon-role",              q . T.decodeUtf8 . fromMaybe "" . configDbAnonRole)
+      [("cors-allowed-origins",      q . maybe "*" (T.intercalate ",") . configCorsAllowedOrigins)
+      ,("db-anon-role",              q . T.decodeUtf8 . fromMaybe "" . configDbAnonRole)
       ,("db-channel",                q . configDbChannel)
       ,("db-channel-enabled",            T.toLower . show . configDbChannelEnabled)
       ,("db-extra-search-path",      q . T.intercalate "," . configDbExtraSearchPath)
@@ -233,6 +235,7 @@ parser :: Maybe FilePath -> Environment -> [(Text, Text)] -> RoleSettings -> Rol
 parser optPath env dbSettings roleSettings roleIsolationLvl =
   AppConfig
     <$> parseAppSettings "app.settings"
+    <*> (fmap splitOnCommas <$> optValue "cors-allowed-origins")
     <*> (fmap encodeUtf8 <$> optString "db-anon-role")
     <*> (fromMaybe "pgrst" <$> optString "db-channel")
     <*> (fromMaybe True <$> optBool "db-channel-enabled")

src/PostgREST/Cors.hs

@@ -2,26 +2,30 @@
 Module      : PostgREST.Cors
 Description : Wai Middleware to set cors policy.
 -}
+
+{-# LANGUAGE TupleSections #-}
+
 module PostgREST.Cors (middleware) where
 
 import qualified Data.ByteString.Char8       as BS
 import qualified Data.CaseInsensitive        as CI
+import qualified Data.Text.Encoding          as T
 import qualified Network.Wai                 as Wai
 import qualified Network.Wai.Middleware.Cors as Wai
 
 import Data.List (lookup)
 
 import Protolude
 
-middleware :: Wai.Middleware
-middleware = Wai.cors corsPolicy
+middleware :: Maybe [Text] -> Wai.Middleware
+middleware corsAllowedOrigins = Wai.cors $ corsPolicy corsAllowedOrigins
 
 -- | CORS policy to be used in by Wai Cors middleware
-corsPolicy :: Wai.Request -> Maybe Wai.CorsResourcePolicy
-corsPolicy req = case lookup "origin" headers of
-  Just origin ->
+corsPolicy :: Maybe [Text] -> Wai.Request -> Maybe Wai.CorsResourcePolicy
+corsPolicy corsAllowedOrigins req = case lookup "origin" headers of
+  Just _ ->
     Just Wai.CorsResourcePolicy
-    { Wai.corsOrigins = Just ([origin], True)
+    { Wai.corsOrigins = (, True) . map T.encodeUtf8 <$> corsAllowedOrigins
     , Wai.corsMethods = ["GET", "POST", "PATCH", "PUT", "DELETE", "OPTIONS"]
     , Wai.corsRequestHeaders = "Authorization" : accHeaders
     , Wai.corsExposedHeaders = Just

test/io/configs/expected/aliases.config

@@ -1,3 +1,4 @@
+cors-allowed-origins = "*"
 db-anon-role = ""
 db-channel = "pgrst"
 db-channel-enabled = true

test/io/configs/expected/boolean-numeric.config

@@ -1,3 +1,4 @@
+cors-allowed-origins = "*"
 db-anon-role = ""
 db-channel = "pgrst"
 db-channel-enabled = true

test/io/configs/expected/boolean-string.config

@@ -1,3 +1,4 @@
+cors-allowed-origins = "*"
 db-anon-role = ""
 db-channel = "pgrst"
 db-channel-enabled = true

test/io/configs/expected/defaults.config

@@ -1,3 +1,4 @@
+cors-allowed-origins = "*"
 db-anon-role = ""
 db-channel = "pgrst"
 db-channel-enabled = true

test/io/configs/expected/no-defaults-with-db-other-authenticator.config

@@ -1,3 +1,4 @@
+cors-allowed-origins = "http://example.com"
 db-anon-role = "pre_config_role"
 db-channel = "postgrest"
 db-channel-enabled = false