From aa3f4f07e31fb414b96ed2606dded7d54c142a90 Mon Sep 17 00:00:00 2001
From: Nutomic <me@nutomic.com>
Date: Mon, 27 Jan 2025 17:54:42 +0000
Subject: [PATCH] Allow setting multiple values for cors_origin (fixes #5198)
 (#5353)

* Allow setting multiple values for cors_origin (fixes #5198)

* fmt

* mention env var
---
 config/defaults.hjson                |  8 ++++++--
 crates/routes/src/utils/mod.rs       | 27 ++++++++-------------------
 crates/utils/src/settings/structs.rs | 10 ++++++----
 3 files changed, 20 insertions(+), 25 deletions(-)

diff --git a/config/defaults.hjson b/config/defaults.hjson
index b5d3b1004..4922d74aa 100644
--- a/config/defaults.hjson
+++ b/config/defaults.hjson
@@ -110,7 +110,11 @@
     bind: "127.0.0.1"
     port: 10002
   }
-  # Sets a response Access-Control-Allow-Origin CORS header
+  # Sets a response Access-Control-Allow-Origin CORS header. Can also be set via environment:
+  # `LEMMY_CORS_ORIGIN=example.org,site.com`
   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
-  cors_origin: "lemmy.tld"
+  cors_origin: [
+    "lemmy.tld"
+    /* ... */
+  ]
 }
diff --git a/crates/routes/src/utils/mod.rs b/crates/routes/src/utils/mod.rs
index ccb363df9..632905c90 100644
--- a/crates/routes/src/utils/mod.rs
+++ b/crates/routes/src/utils/mod.rs
@@ -9,30 +9,19 @@ pub fn cors_config(settings: &Settings) -> Cors {
   let self_origin = settings.get_protocol_and_hostname();
   let cors_origin_setting = settings.cors_origin();
 
-  // A default setting for either wildcard, or None
-  let cors_default = Cors::default()
-    .allow_any_origin()
+  let mut cors = Cors::default()
     .allow_any_method()
     .allow_any_header()
     .expose_any_header()
     .max_age(3600);
 
-  match (cors_origin_setting.clone(), cfg!(debug_assertions)) {
-    (Some(origin), false) => {
-      // Need to call send_wildcard() explicitly, passing this into allowed_origin() results in
-      // error
-      if origin == "*" {
-        cors_default
-      } else {
-        Cors::default()
-          .allowed_origin(&origin)
-          .allowed_origin(&self_origin)
-          .allow_any_method()
-          .allow_any_header()
-          .expose_any_header()
-          .max_age(3600)
-      }
+  if cfg!(debug_assertions) || cors_origin_setting.contains(&"*".to_string()) {
+    cors = cors.allow_any_origin();
+  } else {
+    cors = cors.allowed_origin(&self_origin);
+    for c in cors_origin_setting {
+      cors = cors.allowed_origin(&c);
     }
-    _ => cors_default,
   }
+  cors
 }
diff --git a/crates/utils/src/settings/structs.rs b/crates/utils/src/settings/structs.rs
index effd68a64..4577f4e60 100644
--- a/crates/utils/src/settings/structs.rs
+++ b/crates/utils/src/settings/structs.rs
@@ -44,17 +44,19 @@ pub struct Settings {
   // Prometheus configuration.
   #[doku(example = "Some(Default::default())")]
   pub prometheus: Option<PrometheusConfig>,
-  /// Sets a response Access-Control-Allow-Origin CORS header
+  /// Sets a response Access-Control-Allow-Origin CORS header. Can also be set via environment:
+  /// `LEMMY_CORS_ORIGIN=example.org,site.com`
   /// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
   #[doku(example = "lemmy.tld")]
-  cors_origin: Option<String>,
+  cors_origin: Vec<String>,
 }
 
 impl Settings {
-  pub fn cors_origin(&self) -> Option<String> {
+  pub fn cors_origin(&self) -> Vec<String> {
     env::var("LEMMY_CORS_ORIGIN")
       .ok()
-      .or(self.cors_origin.clone())
+      .map(|e| e.split(',').map(ToString::to_string).collect())
+      .unwrap_or(self.cors_origin.clone())
   }
 }