Merge pull request #16 from SmilyOrg:cors-fix

Stricter CORS handling
SmilyOrg · Aug 15, 2022 · 6f49f3d · 6f49f3d
2 parents 9dbf0de + a9ccac8
commit 6f49f3d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/.env.development b/.env.development
@@ -1,2 +1,3 @@
 PHOTOFIELD_DATA_DIR=./data
 PHOTOFIELD_API_PREFIX=/
+PHOTOFIELD_CORS_ALLOWED_ORIGINS=http://localhost:3000
diff --git a/main.go b/main.go
@@ -1031,12 +1031,15 @@ func main() {
 
 	r.Route(apiPrefix, func(r chi.Router) {
 
-		r.Use(cors.Handler(cors.Options{
-			AllowedOrigins: []string{"*"},
-			AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-			AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
-			MaxAge:         300, // Maximum value not ignored by any of major browsers
-		}))
+		allowedOrigins := os.Getenv("PHOTOFIELD_CORS_ALLOWED_ORIGINS")
+		if allowedOrigins != "" {
+			r.Use(cors.Handler(cors.Options{
+				AllowedOrigins: strings.Split(allowedOrigins, ","),
+				AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+				AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+				MaxAge:         300, // Maximum value not ignored by any of major browsers
+			}))
+		}
 
 		var api Api
 		r.Mount("/", openapi.Handler(&api))