Allow setting multiple values for cors_origin (fixes #5198) (#5353)

* Allow setting multiple values for cors_origin (fixes #5198) * fmt * mention env var
2025-02-09 02:24:46 +00:00 · 2025-01-27 17:54:42 +00:00 · 2025-01-27 17:54:42 +00:00 · aa3f4f07e3
commit aa3f4f07e3
parent 012e8c3085
3 changed files with 20 additions and 25 deletions
--- a/config/defaults.hjson
+++ b/config/defaults.hjson
@ -110,7 +110,11 @@
    bind: "127.0.0.1"
    port: 10002
  }
-  # Sets a response Access-Control-Allow-Origin CORS header
+  # Sets a response Access-Control-Allow-Origin CORS header. Can also be set via environment:
+  # `LEMMY_CORS_ORIGIN=example.org,site.com`
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
-  cors_origin: "lemmy.tld"
+  cors_origin: [
+    "lemmy.tld"
+    /* ... */
+  ]
 }
--- a/crates/routes/src/utils/mod.rs
+++ b/crates/routes/src/utils/mod.rs
@ -9,30 +9,19 @@ pub fn cors_config(settings: &Settings) -> Cors {
  let self_origin = settings.get_protocol_and_hostname();
  let cors_origin_setting = settings.cors_origin();

-  // A default setting for either wildcard, or None
-  let cors_default = Cors::default()
-    .allow_any_origin()
+  let mut cors = Cors::default()
    .allow_any_method()
    .allow_any_header()
    .expose_any_header()
    .max_age(3600);

-  match (cors_origin_setting.clone(), cfg!(debug_assertions)) {
-    (Some(origin), false) => {
-      // Need to call send_wildcard() explicitly, passing this into allowed_origin() results in
-      // error
-      if origin == "*" {
-        cors_default
-      } else {
-        Cors::default()
-          .allowed_origin(&origin)
-          .allowed_origin(&self_origin)
-          .allow_any_method()
-          .allow_any_header()
-          .expose_any_header()
-          .max_age(3600)
-      }
+  if cfg!(debug_assertions) || cors_origin_setting.contains(&"*".to_string()) {
+    cors = cors.allow_any_origin();
+  } else {
+    cors = cors.allowed_origin(&self_origin);
+    for c in cors_origin_setting {
+      cors = cors.allowed_origin(&c);
    }
-    _ => cors_default,
  }
+  cors
 }
--- a/crates/utils/src/settings/structs.rs
+++ b/crates/utils/src/settings/structs.rs
@ -44,17 +44,19 @@ pub struct Settings {
  // Prometheus configuration.
  #[doku(example = "Some(Default::default())")]
  pub prometheus: Option<PrometheusConfig>,
-  /// Sets a response Access-Control-Allow-Origin CORS header
+  /// Sets a response Access-Control-Allow-Origin CORS header. Can also be set via environment:
+  /// `LEMMY_CORS_ORIGIN=example.org,site.com`
  /// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
  #[doku(example = "lemmy.tld")]
-  cors_origin: Option<String>,
+  cors_origin: Vec<String>,
 }

 impl Settings {
-  pub fn cors_origin(&self) -> Option<String> {
+  pub fn cors_origin(&self) -> Vec<String> {
    env::var("LEMMY_CORS_ORIGIN")
      .ok()
-      .or(self.cors_origin.clone())
+      .map(|e| e.split(',').map(ToString::to_string).collect())
+      .unwrap_or(self.cors_origin.clone())
  }
 }