refactor: allow cors from preview environments (#1773)

* refactor: allow cors from preview environments

* refactor: separate cors origin for staging

* refactor: not a secret; don't escape

.circleci/config.yml

@@ -356,6 +356,9 @@ jobs:
       gateway-admin-key:
         description: "Admin API key that authorizes gateway requests to auth service, for key to jwt conversion."
         type: string
+      cors-origin:
+        description: "Where CORS requests are allowed from"
+        type: string
       permit-api-key:
         description: "Permit.io API key for the Permit environment that matches the current ${SHUTTLE_ENV}."
         type: string
@@ -386,6 +389,7 @@ jobs:
             AUTH_JWTSIGNING_PRIVATE_KEY=${<< parameters.jwt-signing-private-key >>} \
             CONTROL_DB_POSTGRES_URI=${<< parameters.control-db-postgres-uri >>} \
             GATEWAY_ADMIN_KEY=${<< parameters.gateway-admin-key >>} \
+            CORS_ORIGIN=<< parameters.cors-origin >> \
             PERMIT_API_KEY=${<< parameters.permit-api-key >>} \
             make deploy
       - when:
@@ -753,6 +757,7 @@ workflows:
           jwt-signing-private-key: DEV_AUTH_JWTSIGNING_PRIVATE_KEY
           control-db-postgres-uri: DEV_CONTROL_DB_POSTGRES_URI
           gateway-admin-key: DEV_GATEWAY_ADMIN_KEY
+          cors-origin: getsynth.vercel.app
           permit-api-key: STAGING_PERMIT_API_KEY
           requires:
             - build-and-push-unstable
@@ -838,6 +843,7 @@ workflows:
           jwt-signing-private-key: PROD_AUTH_JWTSIGNING_PRIVATE_KEY
           control-db-postgres-uri: PROD_CONTROL_DB_POSTGRES_URI
           gateway-admin-key: PROD_GATEWAY_ADMIN_KEY
+          cors-origin: console.shuttle.rs
           permit-api-key: PROD_PERMIT_API_KEY
           ssh-fingerprint: 6a:c5:33:fe:5b:c9:06:df:99:64:ca:17:0d:32:18:2e
           ssh-config-script: production-ssh-config.sh

Makefile

@@ -76,6 +76,8 @@ DEV_SUFFIX=-dev
 DEPLOYS_API_KEY?=gateway4deployes
 GATEWAY_ADMIN_KEY?=dh9z58jttoes3qvt
 
+CORS_ORIGIN?=localhost:3001
+
 # this should use the same version as our prod RDS database
 CONTROL_DB_POSTGRES_TAG?=15
 CONTROL_DB_POSTGRES_PASSWORD?=postgres
@@ -126,6 +128,7 @@ DOCKER_COMPOSE_ENV=\
 	STRIPE_SECRET_KEY=$(STRIPE_SECRET_KEY)\
 	AUTH_JWTSIGNING_PRIVATE_KEY=$(AUTH_JWTSIGNING_PRIVATE_KEY)\
 	GATEWAY_ADMIN_KEY=$(GATEWAY_ADMIN_KEY)\
+	CORS_ORIGIN=$(CORS_ORIGIN)\
 	DD_ENV=$(DD_ENV)\
 	USE_TLS=$(USE_TLS)\
 	COMPOSE_PROFILES=$(COMPOSE_PROFILES)\

docker-compose.dev.yml

@@ -88,7 +88,7 @@ services:
       - "--provisioner-uri=http://provisioner:8000"
       - "--proxy-fqdn=${APPS_FQDN}"
       - "--use-tls=${USE_TLS}"
-      - "--cors-origin=http://localhost:3001"
+      - "--cors-origin=${CORS_ORIGIN}"
       - "--admin-key=${GATEWAY_ADMIN_KEY}"
       - "--permit-api-uri=https://api.eu-central-1.permit.io"
       - "--permit-pdp-uri=http://permit-pdp:7000"

docker-compose.yml

@@ -122,7 +122,7 @@ services:
       - "--provisioner-uri=http://provisioner:8000"
       - "--proxy-fqdn=${APPS_FQDN}"
       - "--use-tls=${USE_TLS}"
-      - "--cors-origin=https://console.shuttle.rs"
+      - "--cors-origin=${CORS_ORIGIN}"
       - "--admin-key=${GATEWAY_ADMIN_KEY}"
       - "--permit-api-uri=https://api.eu-central-1.permit.io"
       - "--permit-pdp-uri=http://permit-pdp:7000"

gateway/src/api/latest.rs

@@ -15,7 +15,7 @@ use axum::{Json as AxumJson, Router};
 use fqdn::FQDN;
 use futures::Future;
 use http::header::AUTHORIZATION;
-use http::{HeaderValue, Method, StatusCode, Uri};
+use http::{request, HeaderValue, Method, StatusCode, Uri};
 use instant_acme::{AccountCredentials, ChallengeType};
 use serde::{Deserialize, Serialize};
 use shuttle_backends::auth::{AuthPublicKey, JwtAuthenticationLayer, ScopedLayer};
@@ -39,7 +39,7 @@ use shuttle_proto::provisioner::Ping;
 use tokio::sync::mpsc::Sender;
 use tokio::sync::{Mutex, MutexGuard};
 use tower::ServiceBuilder;
-use tower_http::cors::CorsLayer;
+use tower_http::cors::{AllowOrigin, CorsLayer};
 use tracing::{debug, error, field, info, instrument, trace, warn, Span};
 use ttl_cache::TtlCache;
 use ulid::Ulid;
@@ -1194,15 +1194,17 @@ impl ApiBuilder {
     }
 
     pub fn with_cors(mut self, cors_origin: &str) -> Self {
+        let cors_origin = cors_origin.to_owned();
+
         let cors_layer = CorsLayer::new()
             .allow_methods(vec![Method::GET, Method::POST, Method::DELETE])
             .allow_headers(vec![AUTHORIZATION])
             .max_age(Duration::from_secs(60) * 10)
-            .allow_origin(
-                cors_origin
-                    .parse::<HeaderValue>()
-                    .expect("to be able to parse the CORS origin"),
-            );
+            .allow_origin(AllowOrigin::predicate(
+                move |origin: &HeaderValue, _request_parts: &request::Parts| {
+                    origin.as_bytes().ends_with(cors_origin.as_bytes())
+                },
+            ));
 
         self.router = self.router.layer(cors_layer);