CORS allow_origin(Any) ships unconditionally to production

## Summary

In `crates/arroyo-api/src/rest.rs`, the CORS layer is configured with `allow_origin(Any)` unconditionally, with a TODO comment indicating it should be development-only:

```rust
// TODO: enable in development only!!!
let cors = CorsLayer::new()
    .allow_methods(cors::Any)
    .allow_headers(cors::Any)
    .allow_origin(cors::Any);
```

This ships to production without any environment check, allowing any website to make cross-origin requests to the Arroyo control plane API.

## Impact

- Any malicious website can make authenticated cross-origin requests to a user's Arroyo instance if they have an active session
- Combined with credential-bearing requests, this could allow CSRF-style attacks against the control plane

## Suggested Fix

Gate the permissive CORS behind an environment variable or build flag:

```rust
let cors = if cfg!(debug_assertions) || env::var("ARROYO_DEV_CORS").is_ok() {
    CorsLayer::permissive()
} else {
    CorsLayer::new()
        .allow_origin(AllowOrigin::list(allowed_origins))
        .allow_methods([Method::GET, Method::POST, Method::PUT, Method::DELETE])
        .allow_headers([AUTHORIZATION, CONTENT_TYPE])
};
```

Happy to discuss further or submit a PR if helpful.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CORS allow_origin(Any) ships unconditionally to production #1013

Summary

Impact

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CORS allow_origin(Any) ships unconditionally to production #1013

Description

Summary

Impact

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions