feat: Add allowed origins config

README.md

@@ -375,6 +375,19 @@ Note: `sudo` is needed above for the redirection server (to bind port 80).
 
 A valid email address is necessary for the creation of the certificate, and is important to get notifications from the Certificate Authority - in case the certificate is about to expire, etc.
 
+## Supporting CORS
+
+When accessing DefraDB through a frontend interface, you may be confronted with a CORS error. That is because, by default, DefraDB will not have any allowed origins set. To specify which origins should be allowed to access your DefraDB endpoint, you can specify them when starting the database:
+```shell
+defradb start --allowe-dorigins=https://yourdomain.com
+```
+
+If running a frontend app locally on localhost, allowed origins must be set with the port of the app:
+```shell
+defradb start --allowed-origins=http://localhost:3000
+```
+
+The catch-all `*` is also a valid origin. 
 
 ## Community
 

cli/start.go

@@ -154,6 +154,15 @@ func MakeStartCommand(cfg *config.Config) *cobra.Command {
 		log.FeedbackFatalE(context.Background(), "Could not bind api.tls", err)
 	}
 
+	cmd.Flags().StringArray(
+		"allowed-origins", cfg.API.AllowedOrigins,
+		"List of origins to allow for CORS requests",
+	)
+	err = cfg.BindFlag("api.allowed-origins", cmd.Flags().Lookup("allowed-origins"))
+	if err != nil {
+		log.FeedbackFatalE(context.Background(), "Could not bind api.allowed-origins", err)
+	}
+
 	cmd.Flags().String(
 		"pubkeypath", cfg.API.PubKeyPath,
 		"Path to the public key for tls",
@@ -319,6 +328,7 @@ func start(ctx context.Context, cfg *config.Config) (*defraInstance, error) {
 	sOpt := []func(*httpapi.Server){
 		httpapi.WithAddress(cfg.API.Address),
 		httpapi.WithRootDir(cfg.Rootdir),
+		httpapi.WithAllowedOrigins(cfg.API.AllowedOrigins...),
 	}
 
 	if n != nil {

config/config.go

@@ -287,20 +287,22 @@ func (dbcfg DatastoreConfig) validate() error {
 
 // APIConfig configures the API endpoints.
 type APIConfig struct {
-	Address     string
-	TLS         bool
-	PubKeyPath  string
-	PrivKeyPath string
-	Email       string
+	Address        string
+	TLS            bool
+	AllowedOrigins []string `mapstructure:"allowed-origins"`
+	PubKeyPath     string
+	PrivKeyPath    string
+	Email          string
 }
 
 func defaultAPIConfig() *APIConfig {
 	return &APIConfig{
-		Address:     "localhost:9181",
-		TLS:         false,
-		PubKeyPath:  "certs/server.key",
-		PrivKeyPath: "certs/server.crt",
-		Email:       DefaultAPIEmail,
+		Address:        "localhost:9181",
+		TLS:            false,
+		AllowedOrigins: []string{},
+		PubKeyPath:     "certs/server.key",
+		PrivKeyPath:    "certs/server.crt",
+		Email:          DefaultAPIEmail,
 	}
 }
 

config/configfile_yaml.gotmpl

@@ -23,6 +23,8 @@ api:
     address: {{ .API.Address }}
     # Whether the API server should listen over HTTPS
     tls: {{ .API.TLS }}
+    # The list of origins a cross-domain request can be executed from.
+    # allowed-origins: {{ .API.AllowedOrigins }}
     # The path to the public key file. Ignored if domains is set.
     pubkeypath: {{ .API.PubKeyPath }}
     # The path to the private key file. Ignored if domains is set.