Merge pull request #2494 from RushanNanayakkara/thunder-cors-config

Harden CORS origin matching and preflight handling

Author: RushanNanayakkara

.vale/styles/config/vocabularies/vocab/accept.txt

@@ -61,4 +61,5 @@ ACLs
 [Bb]ackoff
 [Rr]etryable
 [Uu]psert
-[Ii]dempotency
+[Ii]dempotency
+[Ss]andboxed

backend/cmd/server/repository/conf/deployment.yaml

@@ -51,6 +51,7 @@ jwt:
 cors:
   allowed_origins:
     - "https://localhost:3000"
+    # - regex: '^https://[a-z0-9-]+\.staging\.example\.com(:[0-9]+)?$'
 
 passkey:
   allowed_origins:

backend/internal/application/init.go

@@ -75,9 +75,10 @@ func Initialize(
 
 func registerRoutes(mux *http.ServeMux, appHandler *applicationHandler) {
 	opts1 := middleware.CORSOptions{
-		AllowedMethods:   "GET, POST",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET", "POST"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("POST /applications",
 		appHandler.HandleApplicationPostRequest, opts1))
@@ -89,9 +90,10 @@ func registerRoutes(mux *http.ServeMux, appHandler *applicationHandler) {
 		}, opts1))
 
 	opts2 := middleware.CORSOptions{
-		AllowedMethods:   "GET, PUT, DELETE",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET", "PUT", "DELETE"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("GET /applications/{id}",
 		appHandler.HandleApplicationGetRequest, opts2))

backend/internal/authn/init.go

@@ -113,9 +113,10 @@ func Initialize(
 // registerRoutes registers the routes for the authentication.
 func registerRoutes(mux *http.ServeMux, authnHandler *authenticationHandler) {
 	opts := middleware.CORSOptions{
-		AllowedMethods:   "POST",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"POST"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 
 	// Credentials authentication routes

backend/internal/design/layout/mgt/init.go

@@ -101,9 +101,10 @@ func initializeStore() (layoutMgtStoreInterface, error) {
 // registerRoutes registers the routes for layout management operations.
 func registerRoutes(mux *http.ServeMux, layoutMgtHandler *layoutMgtHandler) {
 	opts1 := middleware.CORSOptions{
-		AllowedMethods:   "GET, POST",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET", "POST"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("POST /design/layouts", layoutMgtHandler.HandleLayoutPostRequest, opts1))
 	mux.HandleFunc(middleware.WithCORS("GET /design/layouts", layoutMgtHandler.HandleLayoutListRequest, opts1))
@@ -112,9 +113,10 @@ func registerRoutes(mux *http.ServeMux, layoutMgtHandler *layoutMgtHandler) {
 	}, opts1))
 
 	opts2 := middleware.CORSOptions{
-		AllowedMethods:   "GET, PUT, DELETE",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET", "PUT", "DELETE"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("GET /design/layouts/{id}", layoutMgtHandler.HandleLayoutGetRequest, opts2))
 	mux.HandleFunc(middleware.WithCORS("PUT /design/layouts/{id}", layoutMgtHandler.HandleLayoutPutRequest, opts2))

backend/internal/design/resolve/init.go

@@ -43,9 +43,10 @@ func Initialize(
 // registerRoutes registers the routes for design resolve operations.
 func registerRoutes(mux *http.ServeMux, resolveHandler *designResolveHandler) {
 	opts := middleware.CORSOptions{
-		AllowedMethods:   "GET",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("GET /design/resolve", resolveHandler.HandleResolveRequest, opts))
 	mux.HandleFunc(middleware.WithCORS("OPTIONS /design/resolve", func(w http.ResponseWriter, r *http.Request) {

backend/internal/design/theme/mgt/init.go

@@ -101,9 +101,10 @@ func initializeStore() (themeMgtStoreInterface, error) {
 // registerRoutes registers the routes for theme management operations.
 func registerRoutes(mux *http.ServeMux, themeMgtHandler *themeMgtHandler) {
 	opts1 := middleware.CORSOptions{
-		AllowedMethods:   "GET, POST",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET", "POST"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("POST /design/themes", themeMgtHandler.HandleThemePostRequest, opts1))
 	mux.HandleFunc(middleware.WithCORS("GET /design/themes", themeMgtHandler.HandleThemeListRequest, opts1))
@@ -112,9 +113,10 @@ func registerRoutes(mux *http.ServeMux, themeMgtHandler *themeMgtHandler) {
 	}, opts1))
 
 	opts2 := middleware.CORSOptions{
-		AllowedMethods:   "GET, PUT, DELETE",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET", "PUT", "DELETE"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("GET /design/themes/{id}", themeMgtHandler.HandleThemeGetRequest, opts2))
 	mux.HandleFunc(middleware.WithCORS("PUT /design/themes/{id}", themeMgtHandler.HandleThemePutRequest, opts2))

backend/internal/flow/flowexec/init.go

@@ -67,9 +67,10 @@ func Initialize(
 
 func registerRoutes(mux *http.ServeMux, handler *flowExecutionHandler) {
 	opts := middleware.CORSOptions{
-		AllowedMethods:   "POST",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"POST"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("POST /flow/execute",
 		middleware.CorrelationIDMiddleware(http.HandlerFunc(handler.HandleFlowExecutionRequest)).ServeHTTP, opts))

backend/internal/flow/flowmeta/init.go

@@ -49,9 +49,10 @@ func Initialize(
 func registerRoutes(mux *http.ServeMux, handler *flowMetaHandler) {
 	// CORS options for flow metadata endpoint (follows the same security as flow/execute)
 	opts := middleware.CORSOptions{
-		AllowedMethods:   "GET, OPTIONS",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET", "OPTIONS"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 
 	// Register GET endpoint

backend/internal/flow/mgt/init.go

@@ -149,9 +149,10 @@ func isCompositeModeEnabled() bool {
 // registerRoutes registers the HTTP routes for flow management.
 func registerRoutes(mux *http.ServeMux, handler *flowMgtHandler) {
 	opts1 := middleware.CORSOptions{
-		AllowedMethods:   "GET, POST",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET", "POST"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("GET /flows", handler.listFlows, opts1))
 	mux.HandleFunc(middleware.WithCORS("POST /flows", handler.createFlow, opts1))
@@ -160,9 +161,10 @@ func registerRoutes(mux *http.ServeMux, handler *flowMgtHandler) {
 	}, opts1))
 
 	opts2 := middleware.CORSOptions{
-		AllowedMethods:   "GET, PUT, DELETE",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET", "PUT", "DELETE"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("GET /flows/{flowId}", handler.getFlow, opts2))
 	mux.HandleFunc(middleware.WithCORS("PUT /flows/{flowId}", handler.updateFlow, opts2))
@@ -172,9 +174,10 @@ func registerRoutes(mux *http.ServeMux, handler *flowMgtHandler) {
 	}, opts2))
 
 	opts3 := middleware.CORSOptions{
-		AllowedMethods:   "GET",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"GET"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("GET /flows/{flowId}/versions", handler.listFlowVersions, opts3))
 	mux.HandleFunc(middleware.WithCORS("OPTIONS /flows/{flowId}/versions",
@@ -190,9 +193,10 @@ func registerRoutes(mux *http.ServeMux, handler *flowMgtHandler) {
 	)
 
 	opts4 := middleware.CORSOptions{
-		AllowedMethods:   "POST",
-		AllowedHeaders:   "Content-Type, Authorization",
+		AllowedMethods:   []string{"POST"},
+		AllowedHeaders:   middleware.DefaultAllowedHeaders,
 		AllowCredentials: true,
+		MaxAge:           600,
 	}
 	mux.HandleFunc(middleware.WithCORS("POST /flows/{flowId}/restore", handler.restoreFlowVersion, opts4))
 	mux.HandleFunc(middleware.WithCORS("OPTIONS /flows/{flowId}/restore",