added flag and env var to specify UI cors enabled domains

Author: Mark7888

.env.example

@@ -23,6 +23,7 @@ JWT_SECRET=
 # CLEANUP_INTERVAL=24h
 # RATE_LIMIT=100
 # API_TIMEOUT=30s
+# ALLOWED_UI_DOMAINS=https://example.com,https://app.example.com
 
 # Frontend
 API_URL=http://127.0.0.1:8080

data-server/.env.example

@@ -49,6 +49,7 @@ JWT_SECRET=your-secret-jwt-key-change-in-production
 # API Configuration (optional)
 # RATE_LIMIT=100
 # API_TIMEOUT=30s
+# ALLOWED_UI_DOMAINS=https://example.com,https://app.example.com
 
 # Logging (optional)
 # LOG_LEVEL=info

data-server/internal/api/middleware/cors.go

@@ -7,14 +7,18 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-// CORS returns a configured CORS middleware
-func CORS() gin.HandlerFunc {
+// CORS returns a configured CORS middleware.
+// allowedOrigins should contain the list of permitted origins; pass ["*"] to allow all.
+func CORS(allowedOrigins []string) gin.HandlerFunc {
+	// AllowCredentials cannot be true when origin is wildcard
+	allowCredentials := !(len(allowedOrigins) == 1 && allowedOrigins[0] == "*")
+
 	config := cors.Config{
-		AllowOrigins:     []string{"*"}, // In production, specify actual origins
+		AllowOrigins:     allowedOrigins,
 		AllowMethods:     []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
 		AllowHeaders:     []string{"Origin", "Content-Type", "Accept", "Authorization"},
 		ExposeHeaders:    []string{"Content-Length"},
-		AllowCredentials: true,
+		AllowCredentials: allowCredentials,
 		MaxAge:           12 * time.Hour,
 	}
 

data-server/internal/api/router.go

@@ -30,7 +30,7 @@ func SetupRouter(cfg *config.Config, database db.Database, jwtManager *auth.JWTM
 
 	// Global middleware
 	router.Use(gin.Recovery())
-	router.Use(middleware.CORS())
+	router.Use(middleware.CORS(cfg.API.AllowedOrigins))
 
 	// Rate limiter
 	rateLimiter := middleware.NewRateLimiter(cfg.API.RateLimit)

data-server/internal/config/config.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 )
 
@@ -73,8 +74,9 @@ type RetentionConfig struct {
 
 // APIConfig holds API-related configuration
 type APIConfig struct {
-	RateLimit int
-	Timeout   time.Duration
+	RateLimit      int
+	Timeout        time.Duration
+	AllowedOrigins []string
 }
 
 // LoggingConfig holds logging configuration
@@ -132,6 +134,8 @@ func Load() (*Config, error) {
 	// API
 	flag.IntVar(&cfg.API.RateLimit, "rate-limit", getEnvInt("RATE_LIMIT", 100), "Requests per minute per API key")
 	flag.DurationVar(&cfg.API.Timeout, "timeout", getEnvDuration("API_TIMEOUT", 30*time.Second), "API request timeout")
+	var allowedUIDomains string
+	flag.StringVar(&allowedUIDomains, "allowed-ui-domains", getEnv("ALLOWED_UI_DOMAINS", ""), "Comma-separated list of allowed UI origins for CORS (empty = allow all)")
 
 	// Logging
 	flag.StringVar(&cfg.Logging.Level, "log-level", getEnv("LOG_LEVEL", "info"), "Log level: debug, info, warn, error")
@@ -141,6 +145,17 @@ func Load() (*Config, error) {
 
 	flag.Parse()
 
+	// Parse allowed UI domains for CORS
+	if allowedUIDomains != "" {
+		parts := strings.Split(allowedUIDomains, ",")
+		for i, p := range parts {
+			parts[i] = strings.TrimSpace(p)
+		}
+		cfg.API.AllowedOrigins = parts
+	} else {
+		cfg.API.AllowedOrigins = []string{"*"}
+	}
+
 	// Validate required fields
 	if err := cfg.Validate(); err != nil {
 		return nil, err