feat: adds configurable cors (#87)

n3rdc4ptn · web-flow · commit a45d9168d78e · 2025-02-24T19:26:55.000Z
* feat: adds configurable cors to it

* feat: add missing config changes
diff --git a/gateway/config/config.go b/gateway/config/config.go
@@ -17,6 +17,12 @@ type Config struct {
 	UserNameClaim    string `envconfig:"default=email,optional"`
 
 	ShouldImpersonate bool `envconfig:"default=true,optional"`
+
+	Cors struct {
+		Enabled        bool     `envconfig:"default=false,optional"`
+		AllowedOrigins []string `envconfig:"default=*,optional"`
+		AllowedHeaders []string `envconfig:"default=*,optional"`
+	}
 }
 
 type HandlerConfig struct {
diff --git a/gateway/manager/manager.go b/gateway/manager/manager.go
@@ -187,6 +187,19 @@ func (s *Service) createHandler(schema *graphql.Schema) *graphqlHandler {
 }
 
 func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+
+	if (*r).Method == "OPTIONS" && s.appCfg.Cors.Enabled {
+		allowedOrigins := strings.Join(s.appCfg.Cors.AllowedOrigins, ",")
+		allowedHeaders := strings.Join(s.appCfg.Cors.AllowedHeaders, ",")
+		w.Header().Set("Access-Control-Allow-Origin", allowedOrigins)
+		w.Header().Set("Access-Control-Allow-Headers", allowedHeaders)
+		// setting cors allowed methods is not needed for this service,
+		// as all graphql methods are part of the cors safelisted methods
+		// https://fetch.spec.whatwg.org/#cors-safelisted-method
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
 	workspace, err := s.parsePath(r.URL.Path)
 	if err != nil {
 		s.log.Error().Err(err).Str("path", r.URL.Path).Msg("Error parsing path")
