feat(backend)!: Add CORS policy for GraphQL subscriptions (#1272)

osmanhadzic · web-flow · commit 3d77c0a368c9 · 2026-03-18T15:58:11.000+01:00
- Add CORS policy for GraphQL subscriptions
- Add tests for CORS policy configuration
- Add environment variable to configure allowed origins for CORS policy

BREAKING CHANGE: the backend now reads a new environment variable: `CHECK_ORIGIN_ALLOWED_ORIGINS` that sets the allowed origins for graphql
subscriptions. If not set the subscriptions will not work in a Kubernetes
environment. Please update your environment accordingly

Signed-off-by: Osman Hadzic &lt;osman.hadzic@secomind.com&gt;
diff --git a/backend/config/dev.exs b/backend/config/dev.exs
@@ -22,6 +22,18 @@ url_host = System.get_env("URL_HOST", "localhost")
 url_port = System.get_env("URL_PORT", "4000")
 url_scheme = System.get_env("URL_SCHEME", "http")
 
+check_origin =
+  case System.get_env("CHECK_ORIGIN_ALLOWED_ORIGINS") do
+    nil ->
+      ["//localhost", "//127.0.0.1"]
+
+    raw_origins ->
+      raw_origins
+      |> String.split(",", trim: true)
+      |> Enum.map(&String.trim/1)
+      |> Enum.reject(&(&1 == ""))
+  end
+
 database = %{
   username: System.get_env("DATABASE_USERNAME", "postgres"),
   password: System.get_env("DATABASE_PASSWORD", "postgres"),
@@ -64,7 +76,7 @@ config :edgehog, EdgehogWeb.Endpoint,
     scheme: url_scheme,
     port: url_port
   ],
-  check_origin: false,
+  check_origin: check_origin,
   code_reloader: true,
   debug_errors: true,
   secret_key_base: "uEb3NXr0KodsrjUUUo98VBEExFFAolxlfOW7ZzP/OGgd1R2pDhwMddZXjvUp/3MW",
diff --git a/backend/config/runtime.exs b/backend/config/runtime.exs
@@ -234,6 +234,23 @@ if config_env() == :prod do
   url_port = System.get_env("URL_PORT", "443")
   url_scheme = System.get_env("URL_SCHEME", "https")
 
+  check_origin_default = ["#{url_scheme}://#{url_host}:#{url_port}"]
+
+  check_origin =
+    case System.get_env("CHECK_ORIGIN_ALLOWED_ORIGINS") do
+      nil ->
+        check_origin_default
+
+      raw_origins ->
+        parsed_origins =
+          raw_origins
+          |> String.split(",", trim: true)
+          |> Enum.map(&String.trim/1)
+          |> Enum.reject(&(&1 == ""))
+
+        if parsed_origins == [], do: check_origin_default, else: parsed_origins
+    end
+
   forwarder_secure_sessions? =
     System.get_env("EDGEHOG_FORWARDER_SECURE_SESSIONS", "true") == "true"
 
@@ -263,6 +280,7 @@ if config_env() == :prod do
       scheme: url_scheme,
       port: url_port
     ],
+    check_origin: check_origin,
     secret_key_base: secret_key_base
 
   if forwarder_hostname != nil &&
diff --git a/backend/docs/pages/admin/deploying_with_kubernetes.md b/backend/docs/pages/admin/deploying_with_kubernetes.md
@@ -303,6 +303,8 @@ spec:
               value: "4000"
             - name: URL_HOST
               value: <BACKEND-HOST>
+            - name: CHECK_ORIGIN_ALLOWED_ORIGINS
+              value: <CHECK-ORIGIN-ALLOWED-ORIGINS>
             - name: DATABASE_HOSTNAME
               value: <DATABASE-HOSTNAME>
             - name: DATABASE_NAME
@@ -439,6 +441,7 @@ spec:
 Values to be replaced
 
 - `BACKEND-HOST`: the host of the Edgehog backend (see the [Creating DNS entries](#creating-dns-entries) section).
+- `CHECK-ORIGIN-ALLOWED-ORIGINS`: a comma-separated list of allowed origins for websocket origin checks (for example `https://edgehog.example.com,https://ops.edgehog.example.com`). If omitted, it falls back to the backend URL.
 - `DATABASE-HOSTNAME`: the hostname of the PostgreSQL database.
 - `MAX-UPLOAD-SIZE-BYTES`: the maximum dimension for uploads, particularly relevant for OTA updates.
   If omitted, it defaults to 4 Gigabytes.
diff --git a/backend/lib/edgehog_web/endpoint.ex b/backend/lib/edgehog_web/endpoint.ex
@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2021-2023 SECO Mind Srl
+# Copyright 2021-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -32,8 +32,7 @@ defmodule EdgehogWeb.Endpoint do
   ]
 
   socket "/socket", EdgehogWeb.GqlSocket,
-    # TODO: Enable `check_origin` (and configure allowed origins) to mitigate Cross-Site WebSocket Hijacking.
-    websocket: [connect_info: [:peer_data, :x_headers], check_origin: false],
+    websocket: [connect_info: [:peer_data, :x_headers]],
     longpoll: [connect_info: [:peer_data, :x_headers]]
 
   plug PlugHeartbeat, path: "/health"
diff --git a/backend/test/edgehog_web/schema/subscriptions/check_origin_config_test.exs b/backend/test/edgehog_web/schema/subscriptions/check_origin_config_test.exs
@@ -0,0 +1,121 @@
+#
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule EdgehogWeb.Schema.Subscriptions.CheckOriginConfigTest do
+  use ExUnit.Case, async: false
+
+  defp read_endpoint_config!(config_file, env) do
+    config_file
+    |> Config.Reader.read!(env: env, target: :host)
+    |> Keyword.get(:edgehog, [])
+    |> Keyword.fetch!(EdgehogWeb.Endpoint)
+  end
+
+  defp with_env(overrides, fun) do
+    previous = for {key, _value} <- overrides, into: %{}, do: {key, System.get_env(key)}
+
+    Enum.each(overrides, fn
+      {key, nil} -> System.delete_env(key)
+      {key, value} -> System.put_env(key, value)
+    end)
+
+    try do
+      fun.()
+    after
+      Enum.each(previous, fn
+        {key, nil} -> System.delete_env(key)
+        {key, value} -> System.put_env(key, value)
+      end)
+    end
+  end
+
+  describe "config/dev.exs check_origin" do
+    test "defaults to localhost origins when env var is not set" do
+      with_env([{"CHECK_ORIGIN_ALLOWED_ORIGINS", nil}], fn ->
+        endpoint = read_endpoint_config!("config/dev.exs", :dev)
+
+        assert Keyword.fetch!(endpoint, :check_origin) == ["//localhost", "//127.0.0.1"]
+      end)
+    end
+
+    test "uses comma-separated CHECK_ORIGIN_ALLOWED_ORIGINS" do
+      with_env(
+        [
+          {"CHECK_ORIGIN_ALLOWED_ORIGINS", "http://localhost:5173, http://edgehog.localhost"}
+        ],
+        fn ->
+          endpoint = read_endpoint_config!("config/dev.exs", :dev)
+
+          assert Keyword.fetch!(endpoint, :check_origin) == [
+                   "http://localhost:5173",
+                   "http://edgehog.localhost"
+                 ]
+        end
+      )
+    end
+  end
+
+  describe "config/runtime.exs check_origin" do
+    test "defaults to URL_SCHEME://URL_HOST:URL_PORT in prod" do
+      with_env(
+        [
+          {"DATABASE_USERNAME", "postgres"},
+          {"DATABASE_PASSWORD", "postgres"},
+          {"DATABASE_HOSTNAME", "localhost"},
+          {"DATABASE_NAME", "edgehog"},
+          {"SECRET_KEY_BASE", "test_secret_key_base"},
+          {"URL_HOST", "api.edgehog.localhost"},
+          {"URL_SCHEME", "https"},
+          {"URL_PORT", "443"},
+          {"CHECK_ORIGIN_ALLOWED_ORIGINS", nil}
+        ],
+        fn ->
+          endpoint = read_endpoint_config!("config/runtime.exs", :prod)
+
+          assert Keyword.fetch!(endpoint, :check_origin) == ["https://api.edgehog.localhost:443"]
+        end
+      )
+    end
+
+    test "uses CHECK_ORIGIN_ALLOWED_ORIGINS in prod when provided" do
+      with_env(
+        [
+          {"DATABASE_USERNAME", "postgres"},
+          {"DATABASE_PASSWORD", "postgres"},
+          {"DATABASE_HOSTNAME", "localhost"},
+          {"DATABASE_NAME", "edgehog"},
+          {"SECRET_KEY_BASE", "test_secret_key_base"},
+          {"URL_HOST", "api.edgehog.localhost"},
+          {"URL_SCHEME", "https"},
+          {"URL_PORT", "443"},
+          {"CHECK_ORIGIN_ALLOWED_ORIGINS", "https://ui.edgehog.localhost, https://ops.edgehog.localhost"}
+        ],
+        fn ->
+          endpoint = read_endpoint_config!("config/runtime.exs", :prod)
+
+          assert Keyword.fetch!(endpoint, :check_origin) == [
+                   "https://ui.edgehog.localhost",
+                   "https://ops.edgehog.localhost"
+                 ]
+        end
+      )
+    end
+  end
+end
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -64,6 +64,7 @@ services:
       URL_HOST: edgehog-backend
       URL_PORT: 4000
       URL_SCHEME: http
+      CHECK_ORIGIN_ALLOWED_ORIGINS: http://${DOCKER_COMPOSE_EDGEHOG_BASE_DOMAIN}
       EDGEHOG_FORWARDER_HOSTNAME: device-forwarder.${DOCKER_COMPOSE_EDGEHOG_BASE_DOMAIN}
       EDGEHOG_FORWARDER_PORT: 80
       EDGEHOG_FORWARDER_SECURE_SESSIONS: "false"

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`#`
`2`	`2`	`# This file is part of Edgehog.`
`3`	`3`	`#`
`4`		`-# Copyright 2021-2023 SECO Mind Srl`
	`4`	`+# Copyright 2021-2026 SECO Mind Srl`
`5`	`5`	`#`
`6`	`6`	`# Licensed under the Apache License, Version 2.0 (the "License");`
`7`	`7`	`# you may not use this file except in compliance with the License.`
`@@ -32,8 +32,7 @@ defmodule EdgehogWeb.Endpoint do`
`32`	`32`	`]`
`33`	`33`
`34`	`34`	`socket "/socket", EdgehogWeb.GqlSocket,`
`35`		- # TODO: Enable `check_origin` (and configure allowed origins) to mitigate Cross-Site WebSocket Hijacking.
`36`		`- websocket: [connect_info: [:peer_data, :x_headers], check_origin: false],`
	`35`	`+ websocket: [connect_info: [:peer_data, :x_headers]],`
`37`	`36`	`longpoll: [connect_info: [:peer_data, :x_headers]]`
`38`	`37`
`39`	`38`	`plug PlugHeartbeat, path: "/health"`