diff --git a/services/identity/src/config.rs b/services/identity/src/config.rs
--- a/services/identity/src/config.rs
+++ b/services/identity/src/config.rs
@@ -5,10 +5,10 @@
use tracing::{error, info};
use crate::constants::{
- DEFAULT_OPENSEARCH_ENDPOINT, DEFAULT_TUNNELBROKER_ENDPOINT,
- KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, OPAQUE_SERVER_SETUP,
- OPENSEARCH_ENDPOINT, SECRETS_DIRECTORY, SECRETS_SETUP_FILE,
- TUNNELBROKER_GRPC_ENDPOINT,
+ cors::ALLOW_ORIGIN_LIST, DEFAULT_OPENSEARCH_ENDPOINT,
+ DEFAULT_TUNNELBROKER_ENDPOINT, KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT,
+ OPAQUE_SERVER_SETUP, OPENSEARCH_ENDPOINT, SECRETS_DIRECTORY,
+ SECRETS_SETUP_FILE, TUNNELBROKER_GRPC_ENDPOINT,
};
/// Raw CLI arguments, should be only used internally to create ServerConfig
@@ -49,6 +49,11 @@
#[arg(env = OPENSEARCH_ENDPOINT)]
#[arg(default_value = DEFAULT_OPENSEARCH_ENDPOINT)]
opensearch_endpoint: String,
+
+ /// Allowed origins
+ #[arg(long, global = true)]
+ #[arg(env = ALLOW_ORIGIN_LIST)]
+ allow_origin_list: Option<String>,
}
#[derive(Subcommand)]
@@ -73,6 +78,7 @@
pub keyserver_public_key: Option<String>,
pub tunnelbroker_endpoint: String,
pub opensearch_endpoint: String,
+ pub allow_origin_list: Option<String>,
}
impl ServerConfig {
@@ -85,7 +91,6 @@
if let Some(endpoint) = &cli.localstack_endpoint {
info!("Using Localstack endpoint: {}", endpoint);
}
-
info!("Using OpenSearch endpoint: {}", cli.opensearch_endpoint);
let mut path_buf = path::PathBuf::new();
@@ -101,20 +106,20 @@
opensearch_endpoint: cli.opensearch_endpoint.clone(),
server_setup,
keyserver_public_key,
+ allow_origin_list: cli.allow_origin_list.clone(),
})
}
-
- pub fn is_dev(&self) -> bool {
- self.localstack_endpoint.is_some()
- }
}
impl fmt::Debug for ServerConfig {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("ServerConfig")
- .field("server_keypair", &"** redacted **")
- .field("keyserver_auth_token", &"** redacted **")
.field("localstack_endpoint", &self.localstack_endpoint)
+ .field("server_setup", &"** redacted **")
+ .field("keyserver_public_key", &self.keyserver_public_key)
+ .field("tunnelbroker_endpoint", &self.tunnelbroker_endpoint)
+ .field("opensearch_endpoint", &self.opensearch_endpoint)
+ .field("allow_origin_list", &"** redacted **")
.finish()
}
}
@@ -131,6 +136,8 @@
Json(serde_json::Error),
#[display(...)]
Decode(DecodeError),
+ #[display(...)]
+ InvalidRemoteEnvironment,
}
fn get_server_setup(
diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs
--- a/services/identity/src/constants.rs
+++ b/services/identity/src/constants.rs
@@ -216,6 +216,5 @@
super::request_metadata::DEVICE_ID,
super::request_metadata::ACCESS_TOKEN,
];
- pub const DEFAULT_ALLOW_ORIGIN: [&str; 2] =
- ["https://web.comm.app", "http://localhost:3000"];
+ pub const ALLOW_ORIGIN_LIST: &str = "ALLOW_ORIGIN_LIST";
}
diff --git a/services/identity/src/cors.rs b/services/identity/src/cors.rs
--- a/services/identity/src/cors.rs
+++ b/services/identity/src/cors.rs
@@ -4,15 +4,9 @@
use crate::{config::CONFIG, constants::cors};
pub fn cors_layer() -> CorsLayer {
- let allow_origin = if CONFIG.is_dev() {
- AllowOrigin::mirror_request()
- } else {
- AllowOrigin::list(
- cors::DEFAULT_ALLOW_ORIGIN
- .iter()
- .cloned()
- .map(HeaderValue::from_static),
- )
+ let allow_origin = match &CONFIG.allow_origin_list {
+ None => AllowOrigin::mirror_request(),
+ Some(allow_origin_list) => slice_to_allow_origin(allow_origin_list),
};
CorsLayer::new()
.allow_origin(allow_origin)
@@ -33,3 +27,10 @@
.collect::<Vec<HeaderName>>(),
)
}
+
+fn slice_to_allow_origin(origins: &str) -> AllowOrigin {
+ let allow_origin_list = origins.split(',').map(|s| {
+ HeaderValue::from_str(s.trim()).expect("failed to parse allow origin list")
+ });
+ AllowOrigin::list(allow_origin_list)
+}