Merge pull request #1725 from hashtopolis/1265-properly-implement-cors

Eric-Wasson · web-flow · commit 6cb425cb6d81 · 2025-11-27T15:12:11.000+01:00
Added an improved CORS implementation #1265
diff --git a/doc/installation_guidelines/tls.md b/doc/installation_guidelines/tls.md
@@ -97,12 +97,12 @@ http {
 }
 ```
 
-3. Update the value of `HASHTOPOLIS_BACKEND_URL` in the `.env` file to reflect the changes done above. 
+3. Update the value of `HASHTOPOLIS_BACKEND_URL` in the `.env` file to reflect the changes done above. If your server name isn't localhost, be sure to also update the comma-separated list of `HASHTOPOLIS_FRONTEND_URLS` to include new https frontend.
 
 4. Start the containers
 ```
 
 docker compose up
 
 ```
-5. Visit hashtopolis at https://localhost/
+5. Visit hashtopolis at https://localhost/
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,7 +14,8 @@ services:
       HASHTOPOLIS_DB_DATABASE: $MYSQL_DATABASE
       HASHTOPOLIS_ADMIN_USER: $HASHTOPOLIS_ADMIN_USER
       HASHTOPOLIS_ADMIN_PASSWORD: $HASHTOPOLIS_ADMIN_PASSWORD
-      HASHTOPOLIS_APIV2_ENABLE: $HASHTOPOLIS_APIV2_ENABLE
+      HASHTOPOLIS_APIV2_ENABLE: $HASHTOPOLIS_APIV2_ENABLE 
+      HASHTOPOLIS_FRONTEND_URLS: $HASHTOPOLIS_FRONTEND_URLS
     depends_on:
       - db
     ports:
diff --git a/env.example b/env.example
@@ -9,3 +9,4 @@ HASHTOPOLIS_DB_HOST=db
 
 HASHTOPOLIS_APIV2_ENABLE=0
 HASHTOPOLIS_BACKEND_URL=http://localhost:8080/api/v2
+HASHTOPOLIS_FRONTEND_URLS=http://127.0.0.1:4200,http://localhost:4200,http://127.0.0.1:8080,http://localhost:8080,https://127.0.0.1,https://localhost
diff --git a/src/api/v2/index.php b/src/api/v2/index.php
@@ -192,8 +192,6 @@ public function process(Request $request, RequestHandler $handler): Response {
 }
 
 
-/* FIXME: CORS wildcard hack should require proper implementation and validation */
-
 /* This middleware will append the response header Access-Control-Allow-Methods with all allowed methods */
 
 class CorsHackMiddleware implements MiddlewareInterface {
@@ -209,7 +207,19 @@ public static function addCORSheaders(Request $request, $response) {
     $methods = $routingResults->getAllowedMethods();
     $requestHeaders = $request->getHeaderLine('Access-Control-Request-Headers');
     
-    $response = $response->withHeader('Access-Control-Allow-Origin', '*');
+    if (getenv('HASHTOPOLIS_FRONTEND_URLS') !== false) {
+      if(in_array($request->getHeaderLine('HTTP_ORIGIN'), explode(',', getenv('HASHTOPOLIS_FRONTEND_URLS')), true)) {
+        $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeaderLine('HTTP_ORIGIN'));
+      }
+      else {
+        error_log("CORS error: Allow-Origin doesn't match. Please make sure to include the used frontend in the .env file.");
+      }
+    }
+    else {
+      //No frontend URLs given in .env file, switch to default allow all
+      $response = $response->withHeader('Access-Control-Allow-Origin', '*');
+    }
+
     $response = $response->withHeader('Access-Control-Allow-Methods', implode(',', $methods));
     $response = $response->withHeader('Access-Control-Allow-Headers', $requestHeaders);
     

Original file line number	Diff line number	Diff line change
`@@ -9,3 +9,4 @@ HASHTOPOLIS_DB_HOST=db`
`9`	`9`
`10`	`10`	`HASHTOPOLIS_APIV2_ENABLE=0`
`11`	`11`	`HASHTOPOLIS_BACKEND_URL=http://localhost:8080/api/v2`
	`12`	`+HASHTOPOLIS_FRONTEND_URLS=http://127.0.0.1:4200,http://localhost:4200,http://127.0.0.1:8080,http://localhost:8080,https://127.0.0.1,https://localhost`