From ccb07942de92df40f549f6030b039858a8938ef0 Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Fri, 10 Jan 2025 22:23:19 +0100 Subject: [PATCH 1/3] feat(api): custom cors settings --- backend/src/lib/config/env.ts | 24 +++++++++++++++++++++- backend/src/server/app.ts | 11 +++++++++- docs/self-hosting/configuration/envars.mdx | 24 +++++++++++++++++++++- 3 files changed, 56 insertions(+), 3 deletions(-) diff --git a/backend/src/lib/config/env.ts b/backend/src/lib/config/env.ts index 599fa1f960..762ca298de 100644 --- a/backend/src/lib/config/env.ts +++ b/backend/src/lib/config/env.ts @@ -199,7 +199,29 @@ const envSchema = z INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET: zpStr(z.string().optional()), INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY: zpStr(z.string().optional()), INF_APP_CONNECTION_GITHUB_APP_SLUG: zpStr(z.string().optional()), - INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional()) + INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional()), + + /* CORS ----------------------------------------------------------------------------- */ + + CORS_ALLOWED_ORIGINS: zpStr( + z + .string() + .optional() + .transform((val) => { + if (!val) return undefined; + return JSON.parse(val) as string[]; + }) + ), + + CORS_ALLOWED_HEADERS: zpStr( + z + .string() + .optional() + .transform((val) => { + if (!val) return undefined; + return JSON.parse(val) as string[]; + }) + ) }) // To ensure that basic encryption is always possible. .refine( diff --git a/backend/src/server/app.ts b/backend/src/server/app.ts index d001d900e7..fce7441701 100644 --- a/backend/src/server/app.ts +++ b/backend/src/server/app.ts @@ -87,7 +87,16 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key await server.register(cors, { credentials: true, - origin: appCfg.SITE_URL || true + ...(appCfg.CORS_ALLOWED_ORIGINS?.length + ? { + origin: appCfg.CORS_ALLOWED_ORIGINS + } + : { + origin: appCfg.SITE_URL || true + }), + ...(appCfg.CORS_ALLOWED_HEADERS?.length && { + allowedHeaders: appCfg.CORS_ALLOWED_HEADERS + }) }); await server.register(addErrorsToResponseSchemas); diff --git a/docs/self-hosting/configuration/envars.mdx b/docs/self-hosting/configuration/envars.mdx index 8f902c5065..001fe581e9 100644 --- a/docs/self-hosting/configuration/envars.mdx +++ b/docs/self-hosting/configuration/envars.mdx @@ -34,6 +34,27 @@ Used to configure platform-specific security and operational settings this to `false`. +## CORS + +Cross-Origin Resource Sharing (CORS) is a security feature that allows web applications running on one domain to access resources from another domain. +The following environment variables can be used to configure the Infisical Rest API to allow or restrict access to resources from different origins. + + + + Specify a list of origins that are allowed to access the Infisical API. + + An example value would be `CORS_ALLOWED_ORIGINS=["https://example.com"]`. + + Defaults to the same value as your `SITE_URL` environment variable. + + + + Array of HTTP methods allowed for CORS requests. + + Defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header. + + + ## Data Layer The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks @@ -72,7 +93,8 @@ DB_READ_REPLICAS=[{"DB_CONNECTION_URI":""}] -## Email service + +## Email Service Without email configuration, Infisical's core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features. From de91356127a9103951c142be065253b09dd7a372 Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Fri, 10 Jan 2025 22:24:57 +0100 Subject: [PATCH 2/3] Update envars.mdx --- docs/self-hosting/configuration/envars.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/self-hosting/configuration/envars.mdx b/docs/self-hosting/configuration/envars.mdx index 001fe581e9..8eda21eddf 100644 --- a/docs/self-hosting/configuration/envars.mdx +++ b/docs/self-hosting/configuration/envars.mdx @@ -93,7 +93,6 @@ DB_READ_REPLICAS=[{"DB_CONNECTION_URI":""}] - ## Email Service Without email configuration, Infisical's core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features. From c08fbbdab233a2cfae2c9556d9d8c6019dbb6e73 Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 13 Jan 2025 13:59:25 +0100 Subject: [PATCH 3/3] Update app.ts --- backend/src/server/app.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/server/app.ts b/backend/src/server/app.ts index fce7441701..ce1be4a04e 100644 --- a/backend/src/server/app.ts +++ b/backend/src/server/app.ts @@ -89,7 +89,7 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key credentials: true, ...(appCfg.CORS_ALLOWED_ORIGINS?.length ? { - origin: appCfg.CORS_ALLOWED_ORIGINS + origin: [...appCfg.CORS_ALLOWED_ORIGINS, ...(appCfg.SITE_URL ? [appCfg.SITE_URL] : [])] } : { origin: appCfg.SITE_URL || true