fix: setup CORS as a public API

Author: alexgarel

.env

@@ -46,7 +46,7 @@ MEM_LIMIT=4294967296
 
 # This is the name of a network possibly shared with other containers
 # on dev connect to the same network as off-server
-COMMON_NET_NAME=po_default
+COMMON_NET_NAME=po_off_default
 
 # Sentry DNS for bug tracking, used only in staging and production
 SENTRY_DNS=
@@ -57,7 +57,3 @@ LOG_LEVEL=DEBUG
 # Path to the yaml configuration file
 # This envvar is **required**
 CONFIG_PATH=
-
-
-# For local development only allow CORS from localhost. Set to '*' to allow all remote access.
-ALLOWED_ORIGINS='http://localhost,http://127.0.0.1'

.github/workflows/container-deploy.yml

@@ -38,8 +38,6 @@ jobs:
         # in staging Product Opener is deployed on the same VM
         echo "COMMON_NET_NAME=po_webnet" >> $GITHUB_ENV
         echo "OFF_API_URL=https://world.openfoodfacts.net" >> $GITHUB_ENV
-        echo "ALLOWED_ORIGINS='*'" >> $GITHUB_ENV
-        
         echo "REDIS_HOST=redis" >> $GITHUB_ENV
     - name: Set various variable for production deployment
       if: matrix.env == 'off-search-org'
@@ -50,7 +48,6 @@ jobs:
         # separate server and is not dockerized
         echo "COMMON_NET_NAME=po_webnet" >> $GITHUB_ENV
         echo "OFF_API_URL=https://world.openfoodfacts.org" >> $GITHUB_ENV
-        echo "ALLOWED_ORIGINS='*'" >> $GITHUB_ENV
         # REDIS_HOST: this is the IP address of the stunnel VM
         echo "REDIS_HOST=10.1.0.113" >> $GITHUB_ENV
     - name: Wait for search service image container build workflow
@@ -165,7 +162,6 @@ jobs:
           echo "SENTRY_DNS=${{ secrets.SENTRY_DSN }}" >> .env
           echo "CONFIG_PATH=data/config/openfoodfacts.yml" >> .env
           echo "OFF_API_URL=${{ env.OFF_API_URL }}" >> .env
-          echo "ALLOWED_ORIGINS=${{ env.ALLOWED_ORIGINS }}" >> .env
 
     - name: Create Docker volumes
       uses: appleboy/ssh-action@master

.github/workflows/pre-commit.yml

@@ -18,7 +18,6 @@ jobs:
         echo "" > .envrc
         echo CONFIG_PATH=data/config/openfoodfacts.yml >> .envrc
         echo OFF_API_URL=https://world.openfoodfacts.org >> .envrc
-        echo ALLOWED_ORIGINS='http://localhost,http://127.0.0.1' >> .envrc
         echo USER_IID=$(id -u) >>.envrc
         echo USER_GID=$(id -g) >>.envrc
         make build

app/api.py

@@ -1,5 +1,4 @@
 import json
-import os
 from pathlib import Path
 from typing import Annotated, Any, cast
 
@@ -53,14 +52,12 @@
     },
     description=API_DESCRIPTION,
 )
-ALLOWED_ORIGINS = os.environ.get(
-    "ALLOWED_ORIGINS", "http://localhost,http://127.0.0.1"
-).split(",")
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=ALLOWED_ORIGINS,
+    # this is a public API
+    allow_origin_regex="https?://.*",
     allow_credentials=True,
-    allow_methods=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     allow_headers=["*"],
 )
 templates = Jinja2Templates(directory=Path(__file__).parent / "templates")

docker-compose.yml

@@ -45,7 +45,6 @@ x-api-common: &api-common
     - CONFIG_PATH
     # URL of the OFF API
     - OFF_API_URL
-    - ALLOWED_ORIGINS
   networks:
     - default
     - common_net

docs/devs/how-to-install.md

@@ -42,7 +42,6 @@ export USER_UID=<your_user_uid>
 
 export CONFIG_PATH=data/config/openfoodfacts.yml
 export OFF_API_URL=https://world.openfoodfacts.org
-export ALLOWED_ORIGINS='http://localhost,http://127.0.0.1'
 ```
 
 [^winEnvrc]: For Windows users, the .envrc is only taken into account by the `make` commands.