Allow for dynamic hosts in CORS origin config (#409)

grega · web-flow · commit c0fd6b3c6f4c · 2024-08-21T10:44:25.000+01:00
## Status - Closes #405 ## What's changed? This extends the current origin-setting functionality (literal origins set via a comma-separated environment variable) and allows the env var string to also contain regular expressions. These allow the origins to match dynamic patterns (eg. `https://*.projects-ui.pages.dev`) and ensures that configuration still remains in the environment as we don't want to assume that anyone running this application will want the same allowed origins configured as us (other than for `localhost` for local and test environments only). eg. instead of currently having to set the following in `ALLOWED_ORIGINS`: ``` https://foo.raspberrypi.org, https://bar.raspberrypi.org, https://foo.editor-standalone-eyq.pages.dev, https://bar.editor-standalone-eyq.pages.dev ``` The following can be set: ``` /https:\/\/(?:[a-z0-9-]+\.)?raspberrypi\.org$/, /https:\/\/.+\.editor-standalone-eyq\.pages\.dev$/ ``` Associated updates in Terraform allow for the origins to match the spec in the [issue](#405) (eg. the addition of wildcards / regex matching): * RaspberryPiFoundation/terraform#898
diff --git a/.env.example b/.env.example
@@ -1,4 +1,6 @@
-ALLOWED_ORIGINS=localhost:3000,localhost:3002,localhost:3009,localhost:3010,localhost:3012,editor.rpfdev.com
+# localhost is set as an origin by default in development (config/initializers/cors.rb)
+# so you probably only need to set ALLOWED_ORIGINS for debugging purposes
+ALLOWED_ORIGINS=""
 
 AWS_ACCESS_KEY_ID=changeme
 AWS_S3_ACTIVE_STORAGE_BUCKET=changeme
diff --git a/README.md b/README.md
@@ -127,11 +127,7 @@ docker-compose run api rspec spec/path/to/spec.rb
 
 ### CORS Allowed Origins
 
-Add a comma separated list to the relevant enviroment settings. E.g for development in the `.env` file:
-
-```
-ALLOWED_ORIGINS=localhost:3002,localhost:3000
-```
+Handled in `config/initializers/cors.rb`.
 
 ### Webhooks
 
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
@@ -1,24 +1,27 @@
 # frozen_string_literal: true
 
 # Be sure to restart your server when you modify this file.
+# Read more: https://github.com/cyu/rack-cors
 
-origins_array = ENV['ALLOWED_ORIGINS']&.split(',')&.map(&:strip) || []
-# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin Ajax requests.
+require Rails.root.join('lib/origin_parser')
 
 Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
-    origins origins_array
-    resource '*', headers: :any, methods: %i[get post patch put delete], expose: ['Link']
+    # localhost and test domain origins
+    origins(%r{https?://localhost([:0-9]*)$}) if Rails.env.development? || Rails.env.test?
+
+    standard_cors_options
+  end
+
+  allow do
+    # environment-specific origins set through ALLOWED_ORIGINS env var
+    # should only be necessary for staging / production environments (see above for local and test)
+    origins OriginParser.parse_origins
+
+    standard_cors_options
   end
 end
-# Read more: https://github.com/cyu/rack-cors
 
-# Rails.application.config.middleware.insert_before 0, Rack::Cors do
-#   allow do
-#     origins "example.com"
-#
-#     resource "*",
-#       headers: :any,
-#       methods: [:get, :post, :put, :patch, :delete, :options, :head]
-#   end
-# end
+def standard_cors_options
+  resource '*', headers: :any, methods: %i[get post patch put delete], expose: ['Link']
+end
diff --git a/lib/corp_middleware.rb b/lib/corp_middleware.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative 'origin_parser'
+
 class CorpMiddleware
   def initialize(app)
     @app = app
@@ -8,9 +10,11 @@ def initialize(app)
   def call(env)
     status, headers, response = @app.call(env)
     request_origin = env['HTTP_HOST']
-    allowed_origins = ENV['ALLOWED_ORIGINS']&.split(',')&.map(&:strip) || []
+    allowed_origins = OriginParser.parse_origins
 
-    if env['PATH_INFO'].start_with?('/rails/active_storage') && allowed_origins.include?(request_origin)
+    if env['PATH_INFO'].start_with?('/rails/active_storage') && allowed_origins.any? do |origin|
+         origin.is_a?(Regexp) ? origin =~ request_origin : origin == request_origin
+       end
       headers['Cross-Origin-Resource-Policy'] = 'cross-origin'
     end
 
diff --git a/lib/origin_parser.rb b/lib/origin_parser.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# fetch origins from the environment in a comma-separated string
+# these can be literal strings or regexes
+# regexes must be wrapped in forward slashes eg. /https?:\/\/localhost(:[0-9]*)?$/
+module OriginParser
+  def self.parse_origins
+    ENV['ALLOWED_ORIGINS']&.split(',')&.map do |origin|
+      stripped_origin = origin.strip
+      if stripped_origin.start_with?('/') && stripped_origin.end_with?('/')
+        Regexp.new(stripped_origin[1..-2])
+      else
+        stripped_origin
+      end
+    end || []
+  end
+end
diff --git a/spec/lib/corp_middleware_spec.rb b/spec/lib/corp_middleware_spec.rb
@@ -12,7 +12,15 @@
     allow(ENV).to receive(:[]).with('ALLOWED_ORIGINS').and_return('test.com')
   end
 
-  it 'sets the Cross-Origin-Resource-Policy header for allowed origins' do
+  it 'sets the Cross-Origin-Resource-Policy header for a literal origin' do
+    _status, headers, _response = middleware.call(env)
+
+    expect(headers['Cross-Origin-Resource-Policy']).to eq('cross-origin')
+  end
+
+  it 'sets the Cross-Origin-Resource-Policy header for regex origin' do
+    allow(ENV).to receive(:[]).with('ALLOWED_ORIGINS').and_return('/test\.com/')
+
     _status, headers, _response = middleware.call(env)
 
     expect(headers['Cross-Origin-Resource-Policy']).to eq('cross-origin')
diff --git a/spec/lib/origin_parser_spec.rb b/spec/lib/origin_parser_spec.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe OriginParser do
+  describe '.parse_origins' do
+    after { ENV['ALLOWED_ORIGINS'] = nil }
+
+    it 'returns an empty array if ALLOWED_ORIGINS is not set' do
+      ENV['ALLOWED_ORIGINS'] = nil
+      expect(described_class.parse_origins).to eq([])
+    end
+
+    it 'parses literal strings correctly' do
+      ENV['ALLOWED_ORIGINS'] = 'http://example.com, https://example.org'
+      expect(described_class.parse_origins).to eq(['http://example.com', 'https://example.org'])
+    end
+
+    it 'parses regexes correctly' do
+      ENV['ALLOWED_ORIGINS'] = '/https?:\/\/example\.com/'
+      expect(described_class.parse_origins).to eq([Regexp.new('https?:\/\/example\.com')])
+    end
+
+    it 'parses a mix of literals and regexes' do
+      ENV['ALLOWED_ORIGINS'] = 'http://example.com, /https?:\/\/localhost$/'
+      expect(described_class.parse_origins).to eq(['http://example.com', Regexp.new('https?:\/\/localhost$')])
+    end
+
+    it 'strips whitespace from origins' do
+      ENV['ALLOWED_ORIGINS'] = '  http://example.com  , /regex$/  '
+      expect(described_class.parse_origins).to eq(['http://example.com', Regexp.new('regex$')])
+    end
+
+    it 'returns an empty array if ALLOWED_ORIGINS is empty' do
+      ENV['ALLOWED_ORIGINS'] = ''
+      expect(described_class.parse_origins).to eq([])
+    end
+  end
+end
