From 329a86c004c42a224132dc7b20d0fc42f12e6bb4 Mon Sep 17 00:00:00 2001 From: Fred Carle Date: Sat, 22 Apr 2023 20:36:50 -0400 Subject: [PATCH 1/5] add AllowedOrigins to API congif --- config/config.go | 22 ++++++++++++---------- config/configfile_yaml.gotmpl | 1 + 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/config/config.go b/config/config.go index b1fbaa20c0..5c3a58bbde 100644 --- a/config/config.go +++ b/config/config.go @@ -287,20 +287,22 @@ func (dbcfg DatastoreConfig) validate() error { // APIConfig configures the API endpoints. type APIConfig struct { - Address string - TLS bool - PubKeyPath string - PrivKeyPath string - Email string + Address string + TLS bool + AllowedOrigins []string + PubKeyPath string + PrivKeyPath string + Email string } func defaultAPIConfig() *APIConfig { return &APIConfig{ - Address: "localhost:9181", - TLS: false, - PubKeyPath: "certs/server.key", - PrivKeyPath: "certs/server.crt", - Email: DefaultAPIEmail, + Address: "localhost:9181", + TLS: false, + AllowedOrigins: []string{"*"}, + PubKeyPath: "certs/server.key", + PrivKeyPath: "certs/server.crt", + Email: DefaultAPIEmail, } } diff --git a/config/configfile_yaml.gotmpl b/config/configfile_yaml.gotmpl index 77dc7f541e..f9e0815945 100644 --- a/config/configfile_yaml.gotmpl +++ b/config/configfile_yaml.gotmpl @@ -23,6 +23,7 @@ api: address: {{ .API.Address }} # Whether the API server should listen over HTTPS tls: {{ .API.TLS }} + allowedorigins: {{ .API.AllowedOrigins }} # The path to the public key file. Ignored if domains is set. pubkeypath: {{ .API.PubKeyPath }} # The path to the private key file. Ignored if domains is set. From bedeea6fbc3d21d5b3cbec73a58ef03f9494c5e2 Mon Sep 17 00:00:00 2001 From: Fred Carle Date: Wed, 26 Apr 2023 12:05:32 -0400 Subject: [PATCH 2/5] add config file and CLI option --- cli/start.go | 10 ++++++++++ config/configfile_yaml.gotmpl | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/cli/start.go b/cli/start.go index a27347b0af..4675375cb0 100644 --- a/cli/start.go +++ b/cli/start.go @@ -154,6 +154,15 @@ func MakeStartCommand(cfg *config.Config) *cobra.Command { log.FeedbackFatalE(context.Background(), "Could not bind api.tls", err) } + cmd.Flags().StringArray( + "allowedorigins", cfg.API.AllowedOrigins, + "List of origins to allow for CORS requests", + ) + err = cfg.BindFlag("api.allowedorigins", cmd.Flags().Lookup("allowedorigins")) + if err != nil { + log.FeedbackFatalE(context.Background(), "Could not bind api.allowedorigins", err) + } + cmd.Flags().String( "pubkeypath", cfg.API.PubKeyPath, "Path to the public key for tls", @@ -319,6 +328,7 @@ func start(ctx context.Context, cfg *config.Config) (*defraInstance, error) { sOpt := []func(*httpapi.Server){ httpapi.WithAddress(cfg.API.Address), httpapi.WithRootDir(cfg.Rootdir), + httpapi.WithAllowedOrigins(cfg.API.AllowedOrigins...), } if n != nil { diff --git a/config/configfile_yaml.gotmpl b/config/configfile_yaml.gotmpl index f9e0815945..6a0d3607ca 100644 --- a/config/configfile_yaml.gotmpl +++ b/config/configfile_yaml.gotmpl @@ -23,7 +23,8 @@ api: address: {{ .API.Address }} # Whether the API server should listen over HTTPS tls: {{ .API.TLS }} - allowedorigins: {{ .API.AllowedOrigins }} + # The list of origins a cross-domain request can be executed from. + # allowedorigins: {{ .API.AllowedOrigins }} # The path to the public key file. Ignored if domains is set. pubkeypath: {{ .API.PubKeyPath }} # The path to the private key file. Ignored if domains is set. From b7079b92c14f125525ec5add50ba4e9672ce9fd6 Mon Sep 17 00:00:00 2001 From: Fred Carle Date: Wed, 26 Apr 2023 13:51:19 -0400 Subject: [PATCH 3/5] change to retrictive default --- config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index 5c3a58bbde..ecc2ef1941 100644 --- a/config/config.go +++ b/config/config.go @@ -299,7 +299,7 @@ func defaultAPIConfig() *APIConfig { return &APIConfig{ Address: "localhost:9181", TLS: false, - AllowedOrigins: []string{"*"}, + AllowedOrigins: []string{}, PubKeyPath: "certs/server.key", PrivKeyPath: "certs/server.crt", Email: DefaultAPIEmail, From 11fbf7291c8f472352fdc3adbb9dcb3ce3e8c360 Mon Sep 17 00:00:00 2001 From: Fred Carle Date: Wed, 26 Apr 2023 14:21:56 -0400 Subject: [PATCH 4/5] add readme doc for CORS --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index d46d2b3f16..07dfd05689 100644 --- a/README.md +++ b/README.md @@ -375,6 +375,19 @@ Note: `sudo` is needed above for the redirection server (to bind port 80). A valid email address is necessary for the creation of the certificate, and is important to get notifications from the Certificate Authority - in case the certificate is about to expire, etc. +## Supporting CORS + +When accessing DefraDB through a frontend interface, you may be confronted with a CORS error. That is because, by default, DefraDB will not have any allowed origins set. To specify which origins should be allowed to access your DefraDB endpoint, you can specify them when starting the database: +```shell +defradb start --allowedorigins=https://yourdomain.com +``` + +If running a frontend app locally on localhost, allowed origins must be set with the port of the app: +```shell +defradb start --allowedorigins=http://localhost:3000 +``` + +The catch-all `*` is also a valid origin. ## Community From 78e3de199dad5f34aa67b29612222fc91ba9499f Mon Sep 17 00:00:00 2001 From: Fred Carle Date: Thu, 27 Apr 2023 12:53:34 -0400 Subject: [PATCH 5/5] change to allowed-origins --- README.md | 4 ++-- cli/start.go | 6 +++--- config/config.go | 2 +- config/configfile_yaml.gotmpl | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 07dfd05689..a9d5fbcec1 100644 --- a/README.md +++ b/README.md @@ -379,12 +379,12 @@ A valid email address is necessary for the creation of the certificate, and is i When accessing DefraDB through a frontend interface, you may be confronted with a CORS error. That is because, by default, DefraDB will not have any allowed origins set. To specify which origins should be allowed to access your DefraDB endpoint, you can specify them when starting the database: ```shell -defradb start --allowedorigins=https://yourdomain.com +defradb start --allowe-dorigins=https://yourdomain.com ``` If running a frontend app locally on localhost, allowed origins must be set with the port of the app: ```shell -defradb start --allowedorigins=http://localhost:3000 +defradb start --allowed-origins=http://localhost:3000 ``` The catch-all `*` is also a valid origin. diff --git a/cli/start.go b/cli/start.go index 4675375cb0..347f5c9230 100644 --- a/cli/start.go +++ b/cli/start.go @@ -155,12 +155,12 @@ func MakeStartCommand(cfg *config.Config) *cobra.Command { } cmd.Flags().StringArray( - "allowedorigins", cfg.API.AllowedOrigins, + "allowed-origins", cfg.API.AllowedOrigins, "List of origins to allow for CORS requests", ) - err = cfg.BindFlag("api.allowedorigins", cmd.Flags().Lookup("allowedorigins")) + err = cfg.BindFlag("api.allowed-origins", cmd.Flags().Lookup("allowed-origins")) if err != nil { - log.FeedbackFatalE(context.Background(), "Could not bind api.allowedorigins", err) + log.FeedbackFatalE(context.Background(), "Could not bind api.allowed-origins", err) } cmd.Flags().String( diff --git a/config/config.go b/config/config.go index ecc2ef1941..17afb01c49 100644 --- a/config/config.go +++ b/config/config.go @@ -289,7 +289,7 @@ func (dbcfg DatastoreConfig) validate() error { type APIConfig struct { Address string TLS bool - AllowedOrigins []string + AllowedOrigins []string `mapstructure:"allowed-origins"` PubKeyPath string PrivKeyPath string Email string diff --git a/config/configfile_yaml.gotmpl b/config/configfile_yaml.gotmpl index 6a0d3607ca..8e011658e9 100644 --- a/config/configfile_yaml.gotmpl +++ b/config/configfile_yaml.gotmpl @@ -24,7 +24,7 @@ api: # Whether the API server should listen over HTTPS tls: {{ .API.TLS }} # The list of origins a cross-domain request can be executed from. - # allowedorigins: {{ .API.AllowedOrigins }} + # allowed-origins: {{ .API.AllowedOrigins }} # The path to the public key file. Ignored if domains is set. pubkeypath: {{ .API.PubKeyPath }} # The path to the private key file. Ignored if domains is set.