From 5c1bda0f3f992f8a3de2de34bc764c2d9692c901 Mon Sep 17 00:00:00 2001 From: LUCCA DUKIC <109136188+LuccaBitfly@users.noreply.github.com> Date: Wed, 17 Apr 2024 12:23:24 +0200 Subject: [PATCH 1/2] configure cors for sessions --- backend/cmd/api/main.go | 2 +- backend/go.mod | 1 + backend/go.sum | 2 ++ backend/pkg/api/router.go | 20 ++++++++------------ backend/pkg/commons/types/config.go | 3 ++- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/backend/cmd/api/main.go b/backend/cmd/api/main.go index 933323980..5f0b3a01e 100644 --- a/backend/cmd/api/main.go +++ b/backend/cmd/api/main.go @@ -51,7 +51,7 @@ func main() { sessionManager := api.NewSessionManager(cfg.RedisCacheEndpoint, !cfg.Frontend.Debug) router := api.NewApiRouter(dataAccessor, sessionManager) - router.Use(api.CorsMiddleware, api.GetAuthMiddleware(cfg.ApiKeySecret)) + router.Use(api.GetCorsMiddleware(cfg.CorsAllowedHosts), api.GetAuthMiddleware(cfg.ApiKeySecret)) srv := &http.Server{ Handler: router, diff --git a/backend/go.mod b/backend/go.mod index 12e12a037..b32955185 100644 --- a/backend/go.mod +++ b/backend/go.mod @@ -130,6 +130,7 @@ require ( github.com/google/s2a-go v0.1.7 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect + github.com/gorilla/handlers v1.5.2 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect github.com/herumi/bls-eth-go-binary v1.31.0 // indirect github.com/holiman/uint256 v1.2.4 // indirect diff --git a/backend/go.sum b/backend/go.sum index 42f7e2458..ae2c19e73 100644 --- a/backend/go.sum +++ b/backend/go.sum @@ -369,6 +369,8 @@ github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qK github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20190430165422-3e4dfb77656c h1:7lF+Vz0LqiRidnzC1Oq86fpX1q/iEv2KJdrCtttYjT4= github.com/gopherjs/gopherjs v0.0.0-20190430165422-3e4dfb77656c/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= +github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= diff --git a/backend/pkg/api/router.go b/backend/pkg/api/router.go index 9effaf681..4058f17f8 100644 --- a/backend/pkg/api/router.go +++ b/backend/pkg/api/router.go @@ -6,6 +6,7 @@ import ( "github.com/alexedwards/scs/v2" dataaccess "github.com/gobitfly/beaconchain/pkg/api/data_access" handlers "github.com/gobitfly/beaconchain/pkg/api/handlers" + gorillaHandlers "github.com/gorilla/handlers" "github.com/gorilla/mux" ) @@ -29,18 +30,13 @@ func NewApiRouter(dataAccessor dataaccess.DataAccessor, sessionManager *scs.Sess return router } -func CorsMiddleware(next http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Access-Control-Allow-Origin", "*") - w.Header().Set("Access-Control-Allow-Headers", "*") - w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD") - w.Header().Set("Access-Control-Allow-Credentials", "true") - if r.Method == http.MethodOptions { - w.WriteHeader(http.StatusNoContent) - return - } - next.ServeHTTP(w, r) - }) +func GetCorsMiddleware(allowedHosts []string) func(http.Handler) http.Handler { + return gorillaHandlers.CORS( + gorillaHandlers.AllowedOrigins(allowedHosts), + gorillaHandlers.AllowedMethods([]string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodDelete, http.MethodOptions, http.MethodHead}), + gorillaHandlers.AllowedHeaders([]string{"Content-Type", "Authorization"}), + gorillaHandlers.AllowCredentials(), + ) } func addRoutes(hs *handlers.HandlerService, publicRouter, internalRouter *mux.Router) { diff --git a/backend/pkg/commons/types/config.go b/backend/pkg/commons/types/config.go index e194b2a5f..f3d494dd4 100644 --- a/backend/pkg/commons/types/config.go +++ b/backend/pkg/commons/types/config.go @@ -261,7 +261,8 @@ type Config struct { ApiKey string `yaml:"apiKey" envconfig:"MONITORING_API_KEY"` ServiceMonitoringConfigurations []ServiceMonitoringConfiguration `yaml:"serviceMonitoringConfigurations" envconfig:"SERVICE_MONITORING_CONFIGURATIONS"` } `yaml:"monitoring"` - ApiKeySecret string `yaml:"apiKeySecret" envconfig:"API_KEY_SECRET"` + ApiKeySecret string `yaml:"apiKeySecret" envconfig:"API_KEY_SECRET"` + CorsAllowedHosts []string `yaml:"corsAllowedHosts" envconfig:"CORS_ALLOWED_HOSTS"` } type DatabaseConfig struct { From 0856901ce091867d47bd3db419b4d173b650a0c8 Mon Sep 17 00:00:00 2001 From: LUCCA DUKIC <109136188+LuccaBitfly@users.noreply.github.com> Date: Wed, 17 Apr 2024 12:39:54 +0200 Subject: [PATCH 2/2] fallback if allowed hosts not set --- backend/pkg/api/router.go | 9 +++++++++ backend/pkg/commons/log/log.go | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/backend/pkg/api/router.go b/backend/pkg/api/router.go index 4058f17f8..e0493b0f9 100644 --- a/backend/pkg/api/router.go +++ b/backend/pkg/api/router.go @@ -6,6 +6,7 @@ import ( "github.com/alexedwards/scs/v2" dataaccess "github.com/gobitfly/beaconchain/pkg/api/data_access" handlers "github.com/gobitfly/beaconchain/pkg/api/handlers" + "github.com/gobitfly/beaconchain/pkg/commons/log" gorillaHandlers "github.com/gorilla/handlers" "github.com/gorilla/mux" ) @@ -31,6 +32,14 @@ func NewApiRouter(dataAccessor dataaccess.DataAccessor, sessionManager *scs.Sess } func GetCorsMiddleware(allowedHosts []string) func(http.Handler) http.Handler { + if len(allowedHosts) == 0 { + log.Warn("CORS allowed hosts not set, allowing all origins") + return gorillaHandlers.CORS( + gorillaHandlers.AllowedOrigins([]string{"*"}), + gorillaHandlers.AllowedMethods([]string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodDelete, http.MethodOptions, http.MethodHead}), + gorillaHandlers.AllowedHeaders([]string{"Content-Type", "Authorization"}), + ) + } return gorillaHandlers.CORS( gorillaHandlers.AllowedOrigins(allowedHosts), gorillaHandlers.AllowedMethods([]string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodDelete, http.MethodOptions, http.MethodHead}), diff --git a/backend/pkg/commons/log/log.go b/backend/pkg/commons/log/log.go index 2677d03e6..017943494 100644 --- a/backend/pkg/commons/log/log.go +++ b/backend/pkg/commons/log/log.go @@ -26,6 +26,10 @@ func WarnWithStackTrace(err error, errorMsg interface{}, callerSkip int, additio logErrorInfo(err, callerSkip, additionalInfos...).Warn(errorMsg) } +func Info(args ...interface{}) { + logrus.Info(args...) +} + func Infof(format string, args ...interface{}) { logrus.Infof(format, args...) } @@ -39,6 +43,10 @@ func InfoWithFields(additionalInfos Fields, msg string) { logFields.Infof(msg) } +func Warn(args ...interface{}) { + logrus.Warn(args...) +} + func Warnf(format string, args ...interface{}) { logrus.Warnf(format, args...) }