Merge pull request #1646 from ConductionNL/feature/WOO-142/dynamic-cors

Make CORS more dynamic
ConductionNL · May 3, 2024 · 9813b74 · 9813b74
2 parents 1ca1d6e + ca3a6a8
commit 9813b74
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 6 deletions.
diff --git a/api/config/packages/nelmio_cors.yaml b/api/config/packages/nelmio_cors.yaml
@@ -1,7 +1,12 @@
+parameters:
+    env(CORS_ORIGIN_EXTRA): '["*","https://localhost","https://localhost:8000"]'
+    env(CORS_ORIGIN): '*'
+    cors_origins: '%env(json:CORS_ORIGIN_EXTRA)%'
+
 nelmio_cors:
     defaults:
         origin_regex: true
-        allow_origin: ['%env(CORS_ALLOW_ORIGIN)%']
+        allow_origin: ['%env(CORS_ORIGIN)%']
         allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
         allow_headers: ['Content-Type', 'Authorization', 'x-method', 'x-endpoint']
         expose_headers: ['Link']

diff --git a/api/docker/nginx/conf.d/default.conf.template b/api/docker/nginx/conf.d/default.conf.template
@@ -10,12 +10,13 @@ server {
     add_header Content-Security-Policy $csp;
     add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(self), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), conversion-measurement=(self),focus-without-user-activation=(), hid=(), idle-detection=(), serial=(),sync-script=(), trust-token-redemption=(), vertical-scroll=(self)";
 
+#    proxy_pass_header access-control-allow-origin;
     # Fixes CORS header
-    if ($http_origin = ''){
-        set $http_origin "*";
-    }
-    proxy_hide_header Access-Control-Allow-Origin;
-    add_header Access-Control-Allow-Origin $http_origin always;
+#    if ($http_origin = ''){
+#        set $http_origin "*";
+#    }
+#    proxy_hide_header Access-Control-Allow-Origin;
+#    add_header Access-Control-Allow-Origin $http_origin always;
 
     client_max_body_size 51M;
 

diff --git a/api/migrations/Version20240501133259.php b/api/migrations/Version20240501133259.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20240501133259 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return '';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE application ADD origins TEXT DEFAULT NULL');
+        $this->addSql('COMMENT ON COLUMN application.origins IS \'(DC2Type:array)\'');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // this down() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE application DROP origins');
+    }
+}
diff --git a/api/src/Command/InitializationCommand.php b/api/src/Command/InitializationCommand.php
@@ -152,6 +152,10 @@ protected function execute(InputInterface $input, OutputInterface $output): int
             }
             $application->setDomains($domains);
             $application->setOrganization($organization);
+
+            $adminHost = $parsedAppUrl['scheme'].'://'.(str_starts_with($parsedAppUrl['host'], 'api') ? str_replace(search: 'api', replace: 'admin', subject: $parsedAppUrl['host']) : $parsedAppUrl['host'].':8000');
+
+            $application->setOrigins(origins: array_values(array: array_unique(array: ['http://localhost', $parsedAppUrl['scheme'].'://'.$parsedAppUrl['host'], $adminHost])));
 //            $application->setSecret('LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV3QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktvd2dnU21BZ0VBQW9JQkFRRFNQU1lacUs3cHdMTWQKd0VqSThkeTA2aVUzQUxESHFOMnBvbmJEb0tIN09KcFVpa0hkT09NVVhNYUhGOWwyb0ZBQmV1VnkrMjJlVHZTQwp3SGdFeUlkTlBEOHhnaWcrUVFlLzBEZlNIaWxGK01ZNGJYbzBUdW0wbDB1MFRDMDNqSUMvUHdiWmJkd3AyczdmClo5TVh1dzdZdnpLS2dzSTdXWWhlSGxGazlkQXc4OUg4SjVUbkY2N050YkdWRkdYTUk5ekpSejZ6N3JRUzJGMjEKcmIyanNhMU4yWkliZW5rbmFrQjdmTEk2VU1mVk5DTXBVZHdERUN6TXNTUTQ4L2dvMzdJYjhzbElGZ2NTUWcrNgp4U1JleG1BT0lBUDIxSitnVjZubGhiMGQ2V2VCcUliQ1hoYkhoY0RGc3NiVGlyTms5UElCcm1FdktGU1prdVV2Cks4Z0hzTituQWdNQkFBRUNnZ0VCQUlFZ1JaSms1R2wxalkyc1dBZnpaUmRJNkdxTDVnZjdVNG1vMjBEMEhBanMKanYxMW5WWitaaHBQa1MvUUdpU2QrZ1d1c2RhWlRvNTQ5L3lHc2pCZDZad3FjTFc3dDNQbEJSbHVqWnBrSS8xeAorbTBWOElUSUl3cGtFbjgrZWxjdjJMT2R4bHNzK3BoS1o5MFhLN1BibEJiVDkvclNyUEUrNEY3T1NEZTJNcFNkClRvVi9XQis1SC90eFM1TVpIRHM3OTA3RFpLemdkdUZyVHBPRUZQeUp3MnoxbWNRbzhnK2ZTbm90Q1ZncUFFRFcKcXFSNHpmK05WTUdId3A3WC9Lc3k1eWdkZnZ3QXpaVEVaUmFzVHVnN1JDdHhyVUp0d2lEMk9rdmNoMzNXYzA1VQoyVnVqdmk5ODhuY1hWeVZOOG8wbnU4aUNRV25veUM5SnJDRnlTU000cjJFQ2dZRUEraWJJb2E2aHlGNkNIcFYxCk9uYmIwT2ZleVhMS01vTkNDN2FYdXFHUVBsTG52K3FXUFJqRXdWR3Mvb3NrS2hFRWhsSEdvamc1dkhSQ1g2T3AKSTlJSis4U201d08xSlJFUFFNdmdza0ZWR3NlZVF5UXNYajJmRmp5cDZ4RGhHMlFzNlFpZHRuZEN6L1hOZWxBQQowNmVkbHl0L0I3Z1d1dWtoYWQ1SjhrT3UzeVVDZ1lFQTF5ZDZmYkhtNFQyMmkxQXZYYTBaSG8rME1oZUVGYTg0ClpaZXVtSmNKaTd3NnFjR016ejkwNno5V0lPT3ZvTk9WZWdVOHMvb2labUZiMXZ3bmE2SnJRZWpid0ZJckN0TlIKYlF3SmsrVkIrY0RJckxtTjhuclBacVM0THY0Y3hOOWlMYWtVMlpid1Jrb1NQSldlaUM2SWt5SWNEYzVxTVpCZwpubTJxSVlxQW45c0NnWUVBbEZwNTlFRlFHemZKYlgvdjFTdDJjKzkvbGZNbzdVb2cyamVBeHFOWW0wMnB1WXpUCmF3cU1iYVlWdGFRcFgzVldQSjYwOGJIc3M5SXpKdXMxdlZPc3JnN1RlUUFlNXd1MkF4U21mckQyV3ZwMTVwWEcKWm1HZlBwM2RtOVlYMnBuUGRLaXlkK3RFeVhhYVZPYXJodHJLUUVRQWcwQnU0b3l1VDA0UWhzZ1RKcTBDZ1lFQQpuWmRTRmkwdmduM1VibGh1U1R3WHNSWHJFK0c3b3JKMEtaMmZpaTdmRkJYc0Zoa3B6VWVhbVJFTVFnemp3SFlaCi80VkVnRU5QM1JPazFHUmZiMnhKQ2I3STd5YUFWbTZRTHNKcFpZVy8vSEtqeWpnamE1OWV1TDBnRjNPVG1QUlMKRWtYTmVzOGU4UzBpREhRKzZWckVPSmo4V1hSK3ZnMFZhQlhGVHNvSENvOENnWUVBOWhpRVlVTXZFNTdQMytmSgptZmZSMytwamJ6WDF0dWY2K0FqcGFrTjNodDFhWUJmaXJzRTlDTHpZdVBqSW4zdU1DRWZvdVFkMGc3c01UcGJnCmxBVXlkaWNPMFNvdDNmSHBLV0F5R3laOVRWYlhIaGUrb1FJYUN1VWFaanlQSFFPWWhHTzZwV0ZDam9aV01JZUwKZjBGcVg0UFExZEJPd3drNDl2Vm16YTJIY1RzPQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg=='); // todo genreate
 //            $application->setPublic('LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ4VENDQXRtZ0F3SUJBZ0lVVTlMMXFhdGI5WndXTGd4Rlg1VHB0bjNiQytjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZY3hDekFKQmdOVkJBWVRBazVNTVJZd0ZBWURWUVFJREExT2IyOXlaQ0JJYjJ4c1lXNWtNUkl3RUFZRApWUVFIREFsQmJYTjBaWEprWVcweEV6QVJCZ05WQkFvTUNrTnZibVIxWTNScGIyNHhFakFRQmdOVkJBTU1DV3h2ClkyRnNhRzl6ZERFak1DRUdDU3FHU0liM0RRRUpBUllVY205aVpYSjBRR052Ym1SMVkzUnBiMjR1Ym13d0hoY04KTWpFd09UQXlNRGMxTWpVd1doY05Nakl3T1RBeU1EYzFNalV3V2pDQmh6RUxNQWtHQTFVRUJoTUNUa3d4RmpBVQpCZ05WQkFnTURVNXZiM0prSUVodmJHeGhibVF4RWpBUUJnTlZCQWNNQ1VGdGMzUmxjbVJoYlRFVE1CRUdBMVVFCkNnd0tRMjl1WkhWamRHbHZiakVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTVNNd0lRWUpLb1pJaHZjTkFRa0IKRmhSeWIySmxjblJBWTI5dVpIVmpkR2x2Ymk1dWJEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQwpBUW9DZ2dFQkFOSTlKaG1vcnVuQXN4M0FTTWp4M0xUcUpUY0FzTWVvM2FtaWRzT2dvZnM0bWxTS1FkMDQ0eFJjCnhvY1gyWGFnVUFGNjVYTDdiWjVPOUlMQWVBVEloMDA4UHpHQ0tENUJCNy9RTjlJZUtVWDR4amh0ZWpSTzZiU1gKUzdSTUxUZU1nTDgvQnRsdDNDbmF6dDluMHhlN0R0aS9Nb3FDd2p0WmlGNGVVV1QxMEREejBmd25sT2NYcnMyMQpzWlVVWmN3ajNNbEhQclB1dEJMWVhiV3R2YU94clUzWmtodDZlU2RxUUh0OHNqcFF4OVUwSXlsUjNBTVFMTXl4CkpEanorQ2pmc2h2eXlVZ1dCeEpDRDdyRkpGN0dZQTRnQS9iVW42QlhxZVdGdlIzcFo0R29oc0plRnNlRndNV3kKeHRPS3MyVDA4Z0d1WVM4b1ZKbVM1UzhyeUFldzM2Y0NBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUVGRlRRbENzNwo3c1RzTXF1V3dCUjFORXZndWRYVk1COEdBMVVkSXdRWU1CYUFGRlRRbENzNzdzVHNNcXVXd0JSMU5Fdmd1ZFhWCk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJV3ZpZldiV3FQNklUd20KS1d2YW9Lc1JIc1BzZ0dxYUF2OXlkZ24xSVp2WFQzZGg3eXpOdHFJRXNDcHpvc2c0Zis3Rlo2bG5GZHI2RFZVbgpmMGh3bUV4ems3d1lYdjBtd2xCTHg1alJmb0tKbDA2SFdkVHVFYUJwR2JYR1Y3VHZjQ3dEb1hYenlYYkljT1FqCnFMeGM0RlE5dlZXazRQM0Y1dDZ6dFh3TWVYWDhZeVYwaGN4cXRaVHNsL25ZVDFvc2pKUlBlWDBRRXFXTjJKZ1QKTGFwckNwK0ZOOXI2WlRwb3EybXVwNmcxTE9HaW1md1k3VDR4elhEaUNlMk1FMi93azBuczBpZXFmeFpwQk5mMApaYitZTHBPekVIYmNlS3dqSEJxT016VlJTZy93bW9sN05VWEF5YkZUNlMwaU5EQWlVSUJ6Q2xUZDhPQ0ZlYXB6CmdwYmROaDA9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0='); // todo genreate
 //            $application->setPublicKey('LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ4VENDQXRtZ0F3SUJBZ0lVVTlMMXFhdGI5WndXTGd4Rlg1VHB0bjNiQytjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZY3hDekFKQmdOVkJBWVRBazVNTVJZd0ZBWURWUVFJREExT2IyOXlaQ0JJYjJ4c1lXNWtNUkl3RUFZRApWUVFIREFsQmJYTjBaWEprWVcweEV6QVJCZ05WQkFvTUNrTnZibVIxWTNScGIyNHhFakFRQmdOVkJBTU1DV3h2ClkyRnNhRzl6ZERFak1DRUdDU3FHU0liM0RRRUpBUllVY205aVpYSjBRR052Ym1SMVkzUnBiMjR1Ym13d0hoY04KTWpFd09UQXlNRGMxTWpVd1doY05Nakl3T1RBeU1EYzFNalV3V2pDQmh6RUxNQWtHQTFVRUJoTUNUa3d4RmpBVQpCZ05WQkFnTURVNXZiM0prSUVodmJHeGhibVF4RWpBUUJnTlZCQWNNQ1VGdGMzUmxjbVJoYlRFVE1CRUdBMVVFCkNnd0tRMjl1WkhWamRHbHZiakVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTVNNd0lRWUpLb1pJaHZjTkFRa0IKRmhSeWIySmxjblJBWTI5dVpIVmpkR2x2Ymk1dWJEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQwpBUW9DZ2dFQkFOSTlKaG1vcnVuQXN4M0FTTWp4M0xUcUpUY0FzTWVvM2FtaWRzT2dvZnM0bWxTS1FkMDQ0eFJjCnhvY1gyWGFnVUFGNjVYTDdiWjVPOUlMQWVBVEloMDA4UHpHQ0tENUJCNy9RTjlJZUtVWDR4amh0ZWpSTzZiU1gKUzdSTUxUZU1nTDgvQnRsdDNDbmF6dDluMHhlN0R0aS9Nb3FDd2p0WmlGNGVVV1QxMEREejBmd25sT2NYcnMyMQpzWlVVWmN3ajNNbEhQclB1dEJMWVhiV3R2YU94clUzWmtodDZlU2RxUUh0OHNqcFF4OVUwSXlsUjNBTVFMTXl4CkpEanorQ2pmc2h2eXlVZ1dCeEpDRDdyRkpGN0dZQTRnQS9iVW42QlhxZVdGdlIzcFo0R29oc0plRnNlRndNV3kKeHRPS3MyVDA4Z0d1WVM4b1ZKbVM1UzhyeUFldzM2Y0NBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUVGRlRRbENzNwo3c1RzTXF1V3dCUjFORXZndWRYVk1COEdBMVVkSXdRWU1CYUFGRlRRbENzNzdzVHNNcXVXd0JSMU5Fdmd1ZFhWCk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJV3ZpZldiV3FQNklUd20KS1d2YW9Lc1JIc1BzZ0dxYUF2OXlkZ24xSVp2WFQzZGg3eXpOdHFJRXNDcHpvc2c0Zis3Rlo2bG5GZHI2RFZVbgpmMGh3bUV4ems3d1lYdjBtd2xCTHg1alJmb0tKbDA2SFdkVHVFYUJwR2JYR1Y3VHZjQ3dEb1hYenlYYkljT1FqCnFMeGM0RlE5dlZXazRQM0Y1dDZ6dFh3TWVYWDhZeVYwaGN4cXRaVHNsL25ZVDFvc2pKUlBlWDBRRXFXTjJKZ1QKTGFwckNwK0ZOOXI2WlRwb3EybXVwNmcxTE9HaW1md1k3VDR4elhEaUNlMk1FMi93azBuczBpZXFmeFpwQk5mMApaYitZTHBPekVIYmNlS3dqSEJxT016VlJTZy93bW9sN05VWEF5YkZUNlMwaU5EQWlVSUJ6Q2xUZDhPQ0ZlYXB6CmdwYmROaDA9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0='); // todo genreate

diff --git a/api/src/Entity/Application.php b/api/src/Entity/Application.php
@@ -262,6 +262,15 @@ class Application
      */
     private array $certificates = [];
 
+    /**
+     * @var array Allowed CORS origins for this application.
+     *
+     * @Groups({"read", "write"})
+     *
+     * @ORM\Column(type="array", nullable=true)
+     */
+    private ?array $origins = [];
+
     /**
      * @var array|null The configuration of this application.
      *
@@ -305,6 +314,7 @@ public function fromSchema(array $schema): self
         array_key_exists('domains', $schema) ? $this->setDomains($schema['domains']) : '';
         array_key_exists('configuration', $schema) ? $this->setConfiguration($schema['configuration']) : '';
         array_key_exists('organization', $schema) ? $this->setOrganization($schema['organization']) : '';
+        array_key_exists('origins', $schema) ? $this->setOrigins($schema['origins']) : '';
         // todo ? more ?
 
         return $this;
@@ -328,6 +338,7 @@ public function toSchema(): array
             'domains'                        => $this->getDomains(),
             'configuration'                  => $this->getConfiguration(),
             'organization'                   => $this->getOrganization() ? $this->getOrganization()->toSchema() : null,
+            'origins'                        => $this->getOrigins(),
         ];
     }
 
@@ -686,6 +697,31 @@ public function setCertificates(?array $certificates): self
         return $this;
     }
 
+    /**
+     * @return array
+     */
+    public function getOrigins(): array
+    {
+        $origins = $this->origins;
+        if($origins === null) {
+            return [];
+        }
+
+        return $origins;
+    }
+
+    /**
+     * @param array|null $certificates
+     *
+     * @return Application
+     */
+    public function setOrigins(?array $origins): self
+    {
+        $this->origins = $origins;
+
+        return $this;
+    }
+
     public function getConfiguration(): ?array
     {
         return $this->configuration;