Add CORS configuration to security settings.

This patch adds a new CORS config textbox in Settings -> Security that allows
configuring CORS origin domains per line.

Closes #2724

Author: knadh

cmd/handlers.go

@@ -40,6 +40,14 @@ func initHTTPHandlers(e *echo.Echo, a *App) {
 		e.DefaultHTTPErrorHandler(err, c)
 	}
 
+	// Configure CORS middleware if domains are configured.
+	if len(a.cfg.Security.CorsOrigins) > 0 {
+		e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
+			AllowOrigins: a.cfg.Security.CorsOrigins,
+			AllowHeaders: []string{echo.HeaderOrigin, echo.HeaderContentType, echo.HeaderAccept},
+		}))
+	}
+
 	// =================================================================
 	// Authenticated non /api handlers.
 	{

cmd/init.go

@@ -117,6 +117,8 @@ type Config struct {
 				Secret  string `koanf:"secret"`
 			} `koanf:"hcaptcha"`
 		} `koanf:"captcha"`
+
+		CorsOrigins []string `koanf:"cors_origins"`
 	} `koanf:"security"`
 
 	Appearance struct {

cmd/settings.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"io"
 	"net/http"
+	"net/url"
 	"regexp"
 	"runtime"
 	"strings"
@@ -256,6 +257,27 @@ func (a *App) UpdateSettings(c echo.Context) error {
 	}
 	set.DomainAllowlist = doms
 
+	// Validate and clean CORS domains.
+	cors := make([]string, 0, len(set.SecurityCORSOrigins))
+	for _, d := range set.SecurityCORSOrigins {
+		if d = strings.TrimSpace(d); d != "" {
+			if d == "*" {
+				cors = append(cors, d)
+				continue
+			}
+
+			// Parse and validate the URL.
+			u, err := url.Parse(d)
+			if err != nil || (u.Scheme != "http" && u.Scheme != "https") || u.Host == "" {
+				return echo.NewHTTPError(http.StatusBadRequest,
+					a.i18n.Ts("globals.messages.invalidData")+": invalid CORS domain: "+d)
+			}
+			// Save clean scheme + host
+			cors = append(cors, u.Scheme+"://"+u.Host)
+		}
+	}
+	set.SecurityCORSOrigins = cors
+
 	// Validate slow query caching cron.
 	if set.CacheSlowQueries {
 		if _, err := cron.ParseStandard(set.CacheSlowQueriesInterval); err != nil {

cmd/upgrade.go

@@ -42,6 +42,7 @@ var migList = []migFunc{
 	{"v4.1.0", migrations.V4_1_0},
 	{"v5.0.0", migrations.V5_0_0},
 	{"v5.1.0", migrations.V5_1_0},
+	{"v5.2.0", migrations.V5_2_0},
 }
 
 // upgrade upgrades the database to the current version by running SQL migration files

frontend/src/views/settings/security.vue

@@ -131,7 +131,21 @@
           </b-field>
         </div>
       </div>
-    </div>
+    </div><!-- captcha -->
+
+    <hr />
+
+    <!-- CORS -->
+    <div class="columns">
+      <div class="column is-12">
+        <h3 class="is-size-6"><strong>CORS</strong></h3><br />
+        <b-field :label="$t('settings.security.CORSDomains')" label-position="on-border"
+          :message="$t('settings.security.CORSDomainsHelp')">
+          <b-input v-model="corsDomains" name="cors_origins" type="textarea" rows="5"
+            placeholder="https://example.com" />
+        </b-field>
+      </div>
+    </div><!-- cors -->
   </div>
 </template>
 
@@ -161,6 +175,17 @@ export default Vue.extend({
   computed: {
     ...mapState(['serverConfig', 'userRoles', 'listRoles']),
 
+    corsDomains: {
+      get() {
+        // Convert array to newline-separated string.
+        const domains = this.data['security.cors_origins'];
+        return domains && Array.isArray(domains) ? domains.join('\n') : '';
+      },
+      set(value) {
+        this.$set(this.data, 'security.cors_origins', value.split('\n'));
+      },
+    },
+
     captchaEnabled: {
       get() {
         return this.data['security.captcha'].altcha.enabled || this.data['security.captcha'].hcaptcha.enabled;

i18n/bg.json

@@ -523,6 +523,8 @@
     "settings.privacy.recordOptinIP": "Записване на IP адреса на opt-in",
     "settings.privacy.recordOptinIPHelp": "Записване на IP адреса на двойния opt-in в атрибутите на абоната.",
     "settings.restart": "Рестартиране",
+    "settings.security.CORSDomains": "Allowed origins",
+    "settings.security.CORSDomainsHelp": "Permit accessing API endpoints via browser Javascript from external domains. Enter one domain per line (e.g: https://example.com). Leave empty to disable CORS or add * to allow all (not recommended).",
     "settings.security.OIDCAutoCreateUsers": "Автоматично създаване на потребители",
     "settings.security.OIDCAutoCreateUsersHelp": "Автоматично създаване на потребител при първо влизане, ако акаунтът не съществува.",
     "settings.security.OIDCClientID": "ID на клиент",

i18n/ca.json

@@ -523,6 +523,8 @@
     "settings.privacy.recordOptinIP": "Registra l'adreça IP de l'opt-in",
     "settings.privacy.recordOptinIPHelp": "Registra l'adreça IP dels opt-ins dobles en els atributs del subscrit.",
     "settings.restart": "Reinicia",
+    "settings.security.CORSDomains": "Allowed origins",
+    "settings.security.CORSDomainsHelp": "Permit accessing API endpoints via browser Javascript from external domains. Enter one domain per line (e.g: https://example.com). Leave empty to disable CORS or add * to allow all (not recommended).",
     "settings.security.OIDCAutoCreateUsers": "Crea usuaris automàticament",
     "settings.security.OIDCAutoCreateUsersHelp": "Crea automàticament un usuari en el primer inici de sessió si el compte no existeix.",
     "settings.security.OIDCClientID": "ID del client",

i18n/cs-cz.json

@@ -523,6 +523,8 @@
     "settings.privacy.recordOptinIP": "Zaznamenávat IP adresy pro opt-in",
     "settings.privacy.recordOptinIPHelp": "Zaznamenávat IP adresy pro dvojí opt-in v atributu odběratele.",
     "settings.restart": "Restartovat",
+    "settings.security.CORSDomains": "Allowed origins",
+    "settings.security.CORSDomainsHelp": "Permit accessing API endpoints via browser Javascript from external domains. Enter one domain per line (e.g: https://example.com). Leave empty to disable CORS or add * to allow all (not recommended).",
     "settings.security.OIDCAutoCreateUsers": "Automaticky vytvořit uživatele",
     "settings.security.OIDCAutoCreateUsersHelp": "Automaticky vytvořit uživatele při prvním přihlášení, pokud účet neexistuje.",
     "settings.security.OIDCClientID": "ID klienta",

i18n/cy.json

@@ -523,6 +523,8 @@
     "settings.privacy.recordOptinIP": "Cofnodi cyfeiriad IP dewis mewn",
     "settings.privacy.recordOptinIPHelp": "Cofnodi cyfeiriad IP ar bwyntio dwbl yn manylion tanysgrifiwr.",
     "settings.restart": "Ailgychwyn",
+    "settings.security.CORSDomains": "Allowed origins",
+    "settings.security.CORSDomainsHelp": "Permit accessing API endpoints via browser Javascript from external domains. Enter one domain per line (e.g: https://example.com). Leave empty to disable CORS or add * to allow all (not recommended).",
     "settings.security.OIDCAutoCreateUsers": "Creu defnyddwyr yn awtomatig",
     "settings.security.OIDCAutoCreateUsersHelp": "Creu defnyddiwr yn awtomatig ar y mewngofnodi cyntaf os nad yw'r cyfrif yn bodoli.",
     "settings.security.OIDCClientID": "ID Cleient",

i18n/da.json

@@ -523,6 +523,8 @@
     "settings.privacy.recordOptinIP": "Optag opt-in IP-adresse",
     "settings.privacy.recordOptinIPHelp": "Optag IP-adressen for dobbelt opt-ins i abonnentattributter.",
     "settings.restart": "Genstart",
+    "settings.security.CORSDomains": "Allowed origins",
+    "settings.security.CORSDomainsHelp": "Permit accessing API endpoints via browser Javascript from external domains. Enter one domain per line (e.g: https://example.com). Leave empty to disable CORS or add * to allow all (not recommended).",
     "settings.security.OIDCAutoCreateUsers": "Opret automatisk brugere",
     "settings.security.OIDCAutoCreateUsersHelp": "Opret automatisk bruger ved første login, hvis kontoen ikke eksisterer.",
     "settings.security.OIDCClientID": "Klient-ID",