Disable Cors from http (#1309)

* feat(backend): added support for new env variable to enable/disable Access-Control-* headers (#1308) * fix(docker): fix the integer value in docker Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> --------- Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> Co-authored-by: Alexander <zavorotynskiy@pm.me>
2023-06-07 09:43:00 +02:00 · 2023-06-07 09:43:00 +02:00 · aa26d735f0
commit aa26d735f0
parent 63d8baba58
3 changed files with 28 additions and 21 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -87,8 +87,11 @@ ENV TZ=UTC \
    MAX_FILE_SIZE=100000000 \
    USE_ENCRYPTION=false \
    # Use to enable cloud specific feature
-    CLOUD="aws"
-
+    CLOUD="aws" \
+    # Use to set compression threshold for tracker requests (20kb by default)
+    COMPRESSION_THRESHOLD=20000 \
+    # Set Access-Control-* headers for tracker requests if true
+    USE_CORS=false

 RUN if [ "$SERVICE_NAME" = "http" ]; then \
  wget https://raw.githubusercontent.com/ua-parser/uap-core/master/regexes.yaml -O "$UAPARSER_FILE" &&\
--- a/backend/internal/config/http/config.go
+++ b/backend/internal/config/http/config.go
@ -10,21 +10,23 @@ import (
 type Config struct {
 	common.Config
 	common.Postgres
-	HTTPHost          string        `env:"HTTP_HOST,default="`
-	HTTPPort          string        `env:"HTTP_PORT,required"`
-	HTTPTimeout       time.Duration `env:"HTTP_TIMEOUT,default=60s"`
-	TopicRawWeb       string        `env:"TOPIC_RAW_WEB,required"`
-	TopicRawIOS       string        `env:"TOPIC_RAW_IOS,required"`
-	BeaconSizeLimit   int64         `env:"BEACON_SIZE_LIMIT,required"`
-	JsonSizeLimit     int64         `env:"JSON_SIZE_LIMIT,default=1000"`
-	FileSizeLimit     int64         `env:"FILE_SIZE_LIMIT,default=10000000"`
-	AWSRegion         string        `env:"AWS_REGION,required"`
-	S3BucketIOSImages string        `env:"S3_BUCKET_IOS_IMAGES,required"`
-	TokenSecret       string        `env:"TOKEN_SECRET,required"`
-	UAParserFile      string        `env:"UAPARSER_FILE,required"`
-	MaxMinDBFile      string        `env:"MAXMINDDB_FILE,required"`
-	UseProfiler       bool          `env:"PROFILER_ENABLED,default=false"`
-	WorkerID          uint16
+	HTTPHost                string        `env:"HTTP_HOST,default="`
+	HTTPPort                string        `env:"HTTP_PORT,required"`
+	HTTPTimeout             time.Duration `env:"HTTP_TIMEOUT,default=60s"`
+	TopicRawWeb             string        `env:"TOPIC_RAW_WEB,required"`
+	TopicRawIOS             string        `env:"TOPIC_RAW_IOS,required"`
+	BeaconSizeLimit         int64         `env:"BEACON_SIZE_LIMIT,required"`
+	CompressionThreshold    int64         `env:"COMPRESSION_THRESHOLD,default=20000"`
+	JsonSizeLimit           int64         `env:"JSON_SIZE_LIMIT,default=1000"`
+	FileSizeLimit           int64         `env:"FILE_SIZE_LIMIT,default=10000000"`
+	AWSRegion               string        `env:"AWS_REGION,required"`
+	S3BucketIOSImages       string        `env:"S3_BUCKET_IOS_IMAGES,required"`
+	TokenSecret             string        `env:"TOKEN_SECRET,required"`
+	UAParserFile            string        `env:"UAPARSER_FILE,required"`
+	MaxMinDBFile            string        `env:"MAXMINDDB_FILE,required"`
+	UseProfiler             bool          `env:"PROFILER_ENABLED,default=false"`
+	UseAccessControlHeaders bool          `env:"USE_CORS,default=false"`
+	WorkerID                uint16
 }

 func New() *Config {
--- a/backend/internal/http/router/router.go
+++ b/backend/internal/http/router/router.go
@ -116,10 +116,12 @@ func (e *Router) root(w http.ResponseWriter, r *http.Request) {

 func (e *Router) corsMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Prepare headers for preflight requests
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-		w.Header().Set("Access-Control-Allow-Methods", "POST")
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type,Authorization,Content-Encoding")
+		if e.cfg.UseAccessControlHeaders {
+			// Prepare headers for preflight requests
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+			w.Header().Set("Access-Control-Allow-Methods", "POST")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type,Authorization,Content-Encoding")
+		}
 		if r.Method == http.MethodOptions {
 			w.Header().Set("Cache-Control", "max-age=86400")
 			w.WriteHeader(http.StatusOK)