feat: Include CORS access controls for the web-ui

dormant-user · dormant-user · commit 5631c5eee2db · 2026-05-23T22:47:52.000-05:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -44,3 +44,4 @@ rusqlite = { version = "0.39", features = ["bundled"] }
 dirs = "6.0.0"
 minijinja = "2.20.0"
 base64 = "0.22.1"
+actix-cors = "0.7.1"
diff --git a/src/lib.rs b/src/lib.rs
@@ -1,6 +1,8 @@
 #![allow(rustdoc::bare_urls)]
 #![doc = include_str!("../README.md")]
 
+use actix_cors::Cors;
+use actix_web::http::header;
 use actix_web::{web, App, HttpServer};
 use std::sync::Arc;
 use tokio::sync::RwLock;
@@ -79,7 +81,20 @@ pub async fn start() -> std::io::Result<()> {
     );
 
     HttpServer::new(move || {
+        let mut cors = Cors::default()
+            .allowed_methods(vec!["GET", "POST", "PUT", "DELETE"])
+            .allowed_headers(vec![
+                header::CONTENT_TYPE,
+                header::AUTHORIZATION,
+                header::HeaderName::from_static("apikey"),
+            ])
+            .max_age(3600);
+        for origin in &config.allowed_origins {
+            cors = cors.allowed_origin(origin.as_str());
+        }
+
         App::new()
+            .wrap(cors)
             .app_data(web::Data::new(state.clone()))
             .app_data(web::Data::new(pending.clone()))
             .app_data(web::Data::new(config.clone()))
diff --git a/src/settings.rs b/src/settings.rs
@@ -53,6 +53,7 @@ pub struct Config {
     pub port: u16,
     pub username: String,
     pub password: String,
+    pub allowed_origins: Vec<String>,
 
     pub apikey: String,
     pub workers: usize,
@@ -105,6 +106,15 @@ impl Config {
             .unwrap();
         let username = squire::get_env_var("username", None);
         let password = squire::get_env_var("password", None);
+        let default_allowed = format!(
+            "http://{host}:{port},http://0.0.0.0:{port},http://localhost:{port}",
+            host = host,
+            port = port
+        );
+        let allowed_origins = squire::get_env_var("allowed_origins", Some(&default_allowed))
+            .split(',')
+            .map(String::from)
+            .collect();
 
         let apikey = squire::get_env_var("apikey", None);
         if apikey.is_empty() {
@@ -193,6 +203,7 @@ impl Config {
             port,
             username,
             password,
+            allowed_origins,
             apikey,
             workers,
             qbit_url,
