Add CORS configuration to dev server API endpoints

Author: zubhav

cmd/cliflags/flags.go

@@ -8,6 +8,8 @@ const (
 	AccessTokenFlag  = "access-token"
 	AnalyticsOptOut  = "analytics-opt-out"
 	BaseURIFlag      = "base-uri"
+	CorsEnabledFlag  = "cors-enabled"
+	CorsOriginFlag   = "cors-origin"
 	DataFlag         = "data"
 	DevStreamURIFlag = "dev-stream-uri"
 	EmailsFlag       = "emails"
@@ -22,6 +24,8 @@ const (
 	AccessTokenFlagDescription = "LaunchDarkly access token with write-level access"
 	AnalyticsOptOutDescription = "Opt out of analytics tracking"
 	BaseURIFlagDescription     = "LaunchDarkly base URI"
+	CorsEnabledFlagDescription = "Enable CORS headers for browser-based developer tools (default: true)"
+	CorsOriginFlagDescription  = "Allowed CORS origin. Use '*' for all origins (default: '*')"
 	DevStreamURIDescription    = "Streaming service endpoint that the dev server uses to obtain authoritative flag data. This may be a LaunchDarkly or Relay Proxy endpoint"
 	EnvironmentFlagDescription = "Default environment key"
 	FlagFlagDescription        = "Default feature flag key"
@@ -36,6 +40,8 @@ func AllFlagsHelp() map[string]string {
 		AccessTokenFlag:  AccessTokenFlagDescription,
 		AnalyticsOptOut:  AnalyticsOptOutDescription,
 		BaseURIFlag:      BaseURIFlagDescription,
+		CorsEnabledFlag:  CorsEnabledFlagDescription,
+		CorsOriginFlag:   CorsOriginFlagDescription,
 		DevStreamURIFlag: DevStreamURIDescription,
 		EnvironmentFlag:  EnvironmentFlagDescription,
 		FlagFlag:         FlagFlagDescription,

cmd/dev_server/dev_server.go

@@ -50,6 +50,20 @@ func NewDevServerCmd(client resources.Client, analyticsTrackerFn analytics.Track
 
 	_ = viper.BindPFlag(cliflags.PortFlag, cmd.PersistentFlags().Lookup(cliflags.PortFlag))
 
+	cmd.PersistentFlags().Bool(
+		cliflags.CorsEnabledFlag,
+		true,
+		cliflags.CorsEnabledFlagDescription,
+	)
+	_ = viper.BindPFlag(cliflags.CorsEnabledFlag, cmd.PersistentFlags().Lookup(cliflags.CorsEnabledFlag))
+
+	cmd.PersistentFlags().String(
+		cliflags.CorsOriginFlag,
+		"*",
+		cliflags.CorsOriginFlagDescription,
+	)
+	_ = viper.BindPFlag(cliflags.CorsOriginFlag, cmd.PersistentFlags().Lookup(cliflags.CorsOriginFlag))
+
 	// Add subcommands here
 	cmd.AddGroup(&cobra.Group{ID: "projects", Title: "Project commands:"})
 	cmd.AddCommand(NewListProjectsCmd(client))

cmd/dev_server/start_server.go

@@ -89,6 +89,8 @@ func startServer(client dev_server.Client) func(*cobra.Command, []string) error
 			BaseURI:                viper.GetString(cliflags.BaseURIFlag),
 			DevStreamURI:           viper.GetString(cliflags.DevStreamURIFlag),
 			Port:                   viper.GetString(cliflags.PortFlag),
+			CorsEnabled:            viper.GetBool(cliflags.CorsEnabledFlag),
+			CorsOrigin:             viper.GetString(cliflags.CorsOriginFlag),
 			InitialProjectSettings: initialSetting,
 		}
 

internal/dev_server/dev_server.go

@@ -29,6 +29,8 @@ type ServerParams struct {
 	BaseURI                string
 	DevStreamURI           string
 	Port                   string
+	CorsEnabled            bool
+	CorsOrigin             string
 	InitialProjectSettings model.InitialProjectSettings
 }
 
@@ -65,6 +67,7 @@ func (c LDClient) RunServer(ctx context.Context, serverParams ServerParams) {
 	r.PathPrefix("/ui/").Handler(http.StripPrefix("/ui/", ui.AssetHandler))
 	sdk.BindRoutes(r)
 	handler := api.HandlerFromMux(apiServer, r)
+	handler = sdk.ApiCorsHeadersWithConfig(serverParams.CorsEnabled, serverParams.CorsOrigin)(handler)
 	handler = handlers.CombinedLoggingHandler(os.Stdout, handler)
 	handler = handlers.RecoveryHandler(handlers.PrintRecoveryStack(true))(handler)
 

internal/dev_server/sdk/cors.go

@@ -25,3 +25,48 @@ func EventsCorsHeaders(handler http.Handler) http.Handler {
 		handler.ServeHTTP(writer, request)
 	})
 }
+
+// ApiCorsHeaders provides CORS support for the dev-server API endpoints (/dev/*)
+// Supports all HTTP methods needed by browser-based developer tools
+func ApiCorsHeaders(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
+		writer.Header().Set("Access-Control-Allow-Origin", "*")
+		writer.Header().Set("Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS")
+		writer.Header().Set("Access-Control-Allow-Credentials", "true")
+		writer.Header().Set("Access-Control-Allow-Headers", "Accept,Content-Type,Content-Length,Accept-Encoding,Authorization,X-Requested-With")
+		writer.Header().Set("Access-Control-Expose-Headers", "Date,Content-Length")
+		writer.Header().Set("Access-Control-Max-Age", "300")
+
+		// Handle preflight OPTIONS requests
+		if request.Method == http.MethodOptions {
+			writer.WriteHeader(http.StatusOK)
+			return
+		}
+
+		handler.ServeHTTP(writer, request)
+	})
+}
+
+// ApiCorsHeadersWithConfig provides configurable CORS support for the dev-server API endpoints
+func ApiCorsHeadersWithConfig(enabled bool, origin string) func(http.Handler) http.Handler {
+	return func(handler http.Handler) http.Handler {
+		return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
+			if enabled {
+				writer.Header().Set("Access-Control-Allow-Origin", origin)
+				writer.Header().Set("Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS")
+				writer.Header().Set("Access-Control-Allow-Credentials", "true")
+				writer.Header().Set("Access-Control-Allow-Headers", "Accept,Content-Type,Content-Length,Accept-Encoding,Authorization,X-Requested-With")
+				writer.Header().Set("Access-Control-Expose-Headers", "Date,Content-Length")
+				writer.Header().Set("Access-Control-Max-Age", "300")
+
+				// Handle preflight OPTIONS requests
+				if request.Method == http.MethodOptions {
+					writer.WriteHeader(http.StatusOK)
+					return
+				}
+			}
+
+			handler.ServeHTTP(writer, request)
+		})
+	}
+}

internal/dev_server/sdk/cors_test.go

@@ -0,0 +1,76 @@
+package sdk
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestApiCorsHeadersWithConfig_Enabled(t *testing.T) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("test response"))
+	})
+
+	corsHandler := ApiCorsHeadersWithConfig(true, "*")(handler)
+
+	// Test GET request
+	req := httptest.NewRequest("GET", "/dev/projects", nil)
+	w := httptest.NewRecorder()
+	corsHandler.ServeHTTP(w, req)
+
+	if w.Header().Get("Access-Control-Allow-Origin") != "*" {
+		t.Errorf("Expected Access-Control-Allow-Origin to be '*', got '%s'", w.Header().Get("Access-Control-Allow-Origin"))
+	}
+
+	if w.Header().Get("Access-Control-Allow-Methods") != "GET,POST,PUT,PATCH,DELETE,OPTIONS" {
+		t.Errorf("Expected Access-Control-Allow-Methods to include all methods, got '%s'", w.Header().Get("Access-Control-Allow-Methods"))
+	}
+
+	if w.Code != http.StatusOK {
+		t.Errorf("Expected status code 200, got %d", w.Code)
+	}
+}
+
+func TestApiCorsHeadersWithConfig_OptionsRequest(t *testing.T) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Error("Handler should not be called for OPTIONS request")
+	})
+
+	corsHandler := ApiCorsHeadersWithConfig(true, "https://example.com")(handler)
+
+	// Test OPTIONS preflight request
+	req := httptest.NewRequest("OPTIONS", "/dev/projects", nil)
+	w := httptest.NewRecorder()
+	corsHandler.ServeHTTP(w, req)
+
+	if w.Header().Get("Access-Control-Allow-Origin") != "https://example.com" {
+		t.Errorf("Expected Access-Control-Allow-Origin to be 'https://example.com', got '%s'", w.Header().Get("Access-Control-Allow-Origin"))
+	}
+
+	if w.Code != http.StatusOK {
+		t.Errorf("Expected status code 200 for OPTIONS request, got %d", w.Code)
+	}
+}
+
+func TestApiCorsHeadersWithConfig_Disabled(t *testing.T) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("test response"))
+	})
+
+	corsHandler := ApiCorsHeadersWithConfig(false, "*")(handler)
+
+	// Test GET request with CORS disabled
+	req := httptest.NewRequest("GET", "/dev/projects", nil)
+	w := httptest.NewRecorder()
+	corsHandler.ServeHTTP(w, req)
+
+	if w.Header().Get("Access-Control-Allow-Origin") != "" {
+		t.Errorf("Expected no CORS headers when disabled, but got Access-Control-Allow-Origin: '%s'", w.Header().Get("Access-Control-Allow-Origin"))
+	}
+
+	if w.Code != http.StatusOK {
+		t.Errorf("Expected status code 200, got %d", w.Code)
+	}
+}