Merge branch 'feat/allowed-origins-config' into 'dev'

feat(watcher-service): add allowed origin config Closes #204 See merge request ergo/rosen-bridge/watcher!199
rosen-bridge · Dec 13, 2023 · aead3fb · aead3fb
2 parents 6e2851b + 3920e48
commit aead3fb
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/services/watcher/config/default.yaml b/services/watcher/config/default.yaml
@@ -64,6 +64,7 @@ database:
   # name: '' # database name (for postgres)
 api:
   port: 3000 # port used to run express server
+  allowedOrigins: [] # list of allowed origins for CORS requests
 healthCheck:
   interval: 60 # health check update interval (in seconds)
   asset:

diff --git a/services/watcher/src/config/config.ts b/services/watcher/src/config/config.ts
@@ -92,6 +92,7 @@ class Config {
   rosenConfigPath: string;
   rosenTokensPath: string;
   apiPort: number;
+  apiAllowedOrigins: string[];
 
   constructor() {
     this.networkType = getRequiredString('ergo.network').toLowerCase();
@@ -205,6 +206,18 @@ class Config {
       path.join(this.rosenConfigPath, 'tokens.json')
     );
     this.apiPort = getOptionalNumber('api.port', 3000);
+    this.apiAllowedOrigins = config.get<string[]>('api.allowedOrigins');
+    if (
+      !Array.isArray(this.apiAllowedOrigins) ||
+      this.apiAllowedOrigins.some((origin) => typeof origin !== 'string')
+    ) {
+      throw new Error('ImproperlyConfigured. Api allowed origins is invalid.');
+    }
+    if (this.apiAllowedOrigins.find((origin) => origin === '*')) {
+      console.warn(
+        'An allowed origin header with value "*" will cause all origins to be able to request this service, which may cause security issues'
+      );
+    }
   }
 }
 

diff --git a/services/watcher/src/init.ts b/services/watcher/src/init.ts
@@ -58,7 +58,12 @@ const init = async () => {
   const initExpress = () => {
     const app = express();
     app.use(express.json());
-    app.use(cors());
+    const allowedOrigins = getConfig().general.apiAllowedOrigins;
+    app.use(
+      cors({
+        origin: allowedOrigins.includes('*') ? '*' : allowedOrigins,
+      })
+    );
 
     const router = Router();
     router.use('/address', addressRouter);