feat: CORS support on gateway (#1714)

Allow the console to call gw directly by adding CORS support to gw and
setting the origin as the console.

Author: chesedo

docker-compose.yml

@@ -122,6 +122,7 @@ services:
       - "--provisioner-host=provisioner"
       - "--proxy-fqdn=${APPS_FQDN}"
       - "--use-tls=${USE_TLS}"
+      - "--cors-origin=https://console.shuttle.rs"
       - "--admin-key=${GATEWAY_ADMIN_KEY}"
       - "--permit-api-uri=https://api.eu-central-1.permit.io"
       - "--permit-pdp-uri=http://permit-pdp:7000"

gateway/Cargo.toml

@@ -44,7 +44,7 @@ strum = { workspace = true }
 tokio = { workspace = true, features = ["full"] }
 tonic = { workspace = true }
 tower = { workspace = true, features = ["steer"] }
-tower-http = { workspace = true }
+tower-http = { workspace = true, features = ["cors"] }
 tower-sanitize-path = "0.2.0"
 tracing = { workspace = true, features = ["default"] }
 tracing-opentelemetry = { workspace = true }

gateway/src/api/latest.rs

@@ -14,7 +14,8 @@ use axum::routing::{any, delete, get, post};
 use axum::{Json as AxumJson, Router};
 use fqdn::FQDN;
 use futures::Future;
-use http::{StatusCode, Uri};
+use http::header::AUTHORIZATION;
+use http::{HeaderValue, Method, StatusCode, Uri};
 use instant_acme::{AccountCredentials, ChallengeType};
 use serde::{Deserialize, Serialize};
 use shuttle_backends::auth::{AuthPublicKey, JwtAuthenticationLayer, ScopedLayer};
@@ -34,6 +35,7 @@ use shuttle_proto::provisioner::Ping;
 use tokio::sync::mpsc::Sender;
 use tokio::sync::{Mutex, MutexGuard};
 use tower::ServiceBuilder;
+use tower_http::cors::CorsLayer;
 use tracing::{error, field, instrument, trace};
 use ttl_cache::TtlCache;
 use ulid::Ulid;
@@ -973,6 +975,22 @@ impl ApiBuilder {
         self
     }
 
+    pub fn with_cors(mut self, cors_origin: &str) -> Self {
+        let cors_layer = CorsLayer::new()
+            .allow_methods(vec![Method::GET, Method::POST, Method::DELETE])
+            .allow_headers(vec![AUTHORIZATION])
+            .max_age(Duration::from_secs(60) * 10)
+            .allow_origin(
+                cors_origin
+                    .parse::<HeaderValue>()
+                    .expect("to be able to parse the CORS origin"),
+            );
+
+        self.router = self.router.layer(cors_layer);
+
+        self
+    }
+
     pub fn into_router(self) -> Router {
         let service = self.service.expect("a GatewayService is required");
         let sender = self.sender.expect("a task Sender is required");

gateway/src/args.rs

@@ -40,6 +40,9 @@ pub struct StartArgs {
     /// Allows to disable the use of TLS in the user proxy service (DANGEROUS)
     #[arg(long, default_value = "enable")]
     pub use_tls: UseTls,
+    /// The origin to allow CORS requests from
+    #[arg(long, default_value = "https://console.shuttle.rs")]
+    pub cors_origin: String,
     #[command(flatten)]
     pub context: ServiceArgs,
     #[command(flatten)]

gateway/src/lib.rs

@@ -540,6 +540,7 @@ pub mod tests {
                 user,
                 bouncer,
                 use_tls: UseTls::Disable,
+                cors_origin: "http://localhost:3001".to_string(),
                 context: ServiceArgs {
                     docker_host,
                     image,

gateway/src/main.rs

@@ -250,6 +250,7 @@ async fn start(
         .with_default_routes()
         .with_auth_service(args.context.auth_uri, args.context.admin_key)
         .with_default_traces()
+        .with_cors(&args.cors_origin)
         .serve();
 
     let user_handle = user_builder.serve();