config flag to enable CORS response headers for data downloads (#834)

2024-06-17 21:33:21 +10:00 · 2024-06-17 21:33:21 +10:00 · e422c9065f
parent d524252f1f
commit e422c9065f
3 changed files with 28 additions and 3 deletions
--- a/codex/codex.nim
+++ b/codex/codex.nim
@ -312,7 +312,7 @@ proc new*(
      taskpool = taskpool)

    restServer = RestServerRef.new(
-      codexNode.initRestApi(config, repoStore),
+      codexNode.initRestApi(config, repoStore, config.apiCorsAllowedOrigin),
      initTAddress(config.apiBindAddress , config.apiPort),
      bufferSize = (1024 * 64),
      maxRequestBodySize = int.high)
--- a/codex/conf.nim
+++ b/codex/conf.nim
@ -190,6 +190,12 @@ type
      name: "api-port"
      abbr: "p" }: Port

+    apiCorsAllowedOrigin* {.
+      desc: "The REST Api CORS allowed origin for downloading data. '*' will allow all origins, '' will allow none.",
+      defaultValue: string.none
+      defaultValueDesc: "Disallow all cross origin requests to download data"
+      name: "api-cors-origin" }: Option[string]
+
    repoKind* {.
      desc: "Backend for main repo store (fs, sqlite, leveldb)"
      defaultValueDesc: "fs"
--- a/codex/rest/api.nim
+++ b/codex/rest/api.nim
@ -107,6 +107,8 @@ proc retrieveCid(
      await stream.close()

 proc initDataApi(node: CodexNodeRef, repoStore: RepoStore, router: var RestRouter) =
+  let allowedOrigin = router.allowedOrigin # prevents capture inside of api defintion
+
  router.rawApi(
    MethodPost,
    "/api/codex/v1/data") do (
@ -166,6 +168,12 @@ proc initDataApi(node: CodexNodeRef, repoStore: RepoStore, router: var RestRoute
          Http400,
          $cid.error())

+      if corsOrigin =? allowedOrigin:
+        resp.setHeader("Access-Control-Allow-Origin", corsOrigin)
+        resp.setHeader("Access-Control-Allow-Methods", "GET, OPTIONS")
+        resp.setHeader("Access-Control-Headers", "X-Requested-With")
+        resp.setHeader("Access-Control-Max-Age", "86400")
+
      await node.retrieveCid(cid.get(), local = true, resp=resp)

  router.api(
@ -181,6 +189,12 @@ proc initDataApi(node: CodexNodeRef, repoStore: RepoStore, router: var RestRoute
          Http400,
          $cid.error())

+      if corsOrigin =? allowedOrigin:
+        resp.setHeader("Access-Control-Allow-Origin", corsOrigin)
+        resp.setHeader("Access-Control-Allow-Methods", "GET, OPTIONS")
+        resp.setHeader("Access-Control-Headers", "X-Requested-With")
+        resp.setHeader("Access-Control-Max-Age", "86400")
+
      await node.retrieveCid(cid.get(), local = false, resp=resp)

  router.api(
@ -636,8 +650,13 @@ proc initDebugApi(node: CodexNodeRef, conf: CodexConf, router: var RestRouter) =
        trace "Excepting processing request", exc = exc.msg
        return RestApiResponse.error(Http500)

-proc initRestApi*(node: CodexNodeRef, conf: CodexConf, repoStore: RepoStore): RestRouter =
-  var router = RestRouter.init(validate)
+proc initRestApi*(
+  node: CodexNodeRef,
+  conf: CodexConf,
+  repoStore: RepoStore,
+  corsAllowedOrigin: ?string): RestRouter =
+
+  var router = RestRouter.init(validate, corsAllowedOrigin)

  initDataApi(node, repoStore, router)
  initSalesApi(node, router)