feat: add cors support(default disable)

Author: flyqie

cmd/server/main.go

@@ -7,6 +7,7 @@ import (
 	openvmv1Connect "github.com/openvm-http/openvm-api/gen/openvm/v1/v1connect"
 	"github.com/openvm-http/openvm-api/internal/interceptor"
 	openvmServer "github.com/openvm-http/openvm-api/internal/service/openvm"
+	"github.com/rs/cors"
 	"log"
 	"net/http"
 	"os"
@@ -21,6 +22,45 @@ import (
 var gitTag string
 var dateTime string
 
+func disableCORS() *cors.Cors {
+	// To let web developers play with the demo service from browsers, we need a
+	// very permissive CORS setup.
+	return cors.New(cors.Options{
+		AllowedMethods: []string{
+			http.MethodHead,
+			http.MethodGet,
+			http.MethodPost,
+			http.MethodPut,
+			http.MethodPatch,
+			http.MethodDelete,
+		},
+		AllowOriginFunc: func(_ /* origin */ string) bool {
+			// Allow all origins, which effectively disables CORS.
+			return true
+		},
+		AllowedHeaders: []string{"*"},
+		ExposedHeaders: []string{
+			// Content-Type is in the default safelist.
+			"Accept",
+			"Accept-Encoding",
+			"Accept-Post",
+			"Connect-Accept-Encoding",
+			"Connect-Content-Encoding",
+			"Content-Encoding",
+			"Grpc-Accept-Encoding",
+			"Grpc-Encoding",
+			"Grpc-Message",
+			"Grpc-Status",
+			"Grpc-Status-Details-Bin",
+		},
+		// Let browsers cache CORS information for longer, which reduces the number
+		// of preflight requests. Any changes to ExposedHeaders won't take effect
+		// until the cached data expires. FF caps this value at 24h, and modern
+		// Chrome caps it at 2h.
+		MaxAge: int(2 * time.Hour / time.Second),
+	})
+}
+
 func main() {
 	log.Printf("OpenVM-API %s %s", gitTag, dateTime)
 	if token := os.Getenv("ACCESS_TOKEN"); token != "" {
@@ -42,10 +82,17 @@ func main() {
 	))
 	mux := http.NewServeMux()
 	mux.Handle("/api/", http.StripPrefix("/api", api))
+	var httpServerMux http.Handler
+	if disableCors := os.Getenv("DISABLE_CORS"); disableCors == "YES_I_KNOWN_NOT_SAFE" {
+		log.Printf("Security Warning: DISABLE_CORS set!\n")
+		httpServerMux = disableCORS().Handler(mux)
+	} else {
+		httpServerMux = mux
+	}
 
 	srv := &http.Server{
 		Addr:    addr,
-		Handler: h2c.NewHandler(mux, &http2.Server{}),
+		Handler: h2c.NewHandler(httpServerMux, &http2.Server{}),
 	}
 	log.Printf("HTTP server listening on %s\n", addr)
 	signals := make(chan os.Signal, 1)

go.mod

@@ -6,6 +6,7 @@ require (
 	connectrpc.com/connect v1.16.2
 	github.com/openvm-http/govix v1.0.3
 	github.com/openvm-http/govmx/v2 v2.0.1
+	github.com/rs/cors v1.11.1
 	golang.org/x/net v0.30.0
 	google.golang.org/protobuf v1.34.2
 )

go.sum

@@ -5,6 +5,8 @@ github.com/openvm-http/govix v1.0.3 h1:WC/GroEOEFFc7NIVCZnIX/9xWPfLPaHOcTK/SAjyq
 github.com/openvm-http/govix v1.0.3/go.mod h1:P22JPIyMAon/IQev5p7d00O9gCq4VV+GW1ES2ccUdcg=
 github.com/openvm-http/govmx/v2 v2.0.1 h1:Uuglgh7hCoeXB4lJEdcAAD1HAs48NNXnWqKnQmy/pec=
 github.com/openvm-http/govmx/v2 v2.0.1/go.mod h1:E9iNSSN+upUYUS0FardJPUFc+JGSj+5iHbfg/c4PuLY=
+github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
+github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=