Merge remote-tracking branch 'upstream/main' into e2e_passing

cmd/soroban-rpc/internal/jsonrpc.go

@@ -13,6 +13,7 @@ import (
 	"github.com/creachadair/jrpc2/jhttp"
 	"github.com/go-chi/chi/middleware"
 	"github.com/prometheus/client_golang/prometheus"
+	"github.com/rs/cors"
 	"github.com/stellar/go/support/log"
 
 	"github.com/stellar/soroban-tools/cmd/soroban-rpc/internal/config"
@@ -277,9 +278,15 @@ func NewJSONRPCHandler(cfg *config.Config, params HandlerParams) Handler {
 	// Limit request sizes to 10MB
 	handler = http.MaxBytesHandler(handler, 1024*1024*10)
 
+	corsMiddleware := cors.New(cors.Options{
+		AllowedOrigins: []string{"*"},
+		AllowedHeaders: []string{"*"},
+		AllowedMethods: []string{"GET", "PUT", "POST", "PATCH", "DELETE", "HEAD", "OPTIONS"},
+	})
+
 	return Handler{
 		bridge:  bridge,
 		logger:  params.Logger,
-		Handler: handler,
+		Handler: corsMiddleware.Handler(handler),
 	}
 }

cmd/soroban-rpc/internal/test/cors_test.go

@@ -0,0 +1,32 @@
+package test
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestCORS ensures that we receive the correct CORS headers as a response to an HTTP request.
+// Specifically, when we include an Origin header in the request, a soroban-rpc should response
+// with a corresponding Access-Control-Allow-Origin.
+func TestCORS(t *testing.T) {
+	test := NewTest(t)
+
+	request, err := http.NewRequest("POST", test.sorobanRPCURL(), bytes.NewBufferString("{\"jsonrpc\": \"2.0\", \"id\": 1, \"method\": \"getHealth\"}"))
+	require.NoError(t, err)
+	request.Header.Set("Content-Type", "application/json")
+	origin := "testorigin.com"
+	request.Header.Set("Origin", origin)
+
+	var client http.Client
+	response, err := client.Do(request)
+	require.NoError(t, err)
+	_, err = io.ReadAll(response.Body)
+	require.NoError(t, err)
+
+	accessControl := response.Header.Get("Access-Control-Allow-Origin")
+	require.Equal(t, origin, accessControl)
+}