support multiple CORS origins (#5150)

Co-authored-by: aler9 <[email protected]>

Author: secit

api/openapi.yaml

@@ -124,8 +124,10 @@ components:
           type: string
         apiServerCert:
           type: string
-        apiAllowOrigin:
-          type: string
+        apiAllowOrigins:
+          type: array
+          items:
+            type: string
         apiTrustedProxies:
           type: array
           items:
@@ -142,8 +144,10 @@ components:
           type: string
         metricsServerCert:
           type: string
-        metricsAllowOrigin:
-          type: string
+        metricsAllowOrigins:
+          type: array
+          items:
+            type: string
         metricsTrustedProxies:
           type: array
           items:
@@ -160,8 +164,10 @@ components:
           type: string
         pprofServerCert:
           type: string
-        pprofAllowOrigin:
-          type: string
+        pprofAllowOrigins:
+          type: array
+          items:
+            type: string
         pprofTrustedProxies:
           type: array
           items:
@@ -178,8 +184,10 @@ components:
           type: string
         playbackServerCert:
           type: string
-        playbackAllowOrigin:
-          type: string
+        playbackAllowOrigins:
+          type: array
+          items:
+            type: string
         playbackTrustedProxies:
           type: array
           items:
@@ -254,8 +262,10 @@ components:
           type: string
         hlsServerCert:
           type: string
-        hlsAllowOrigin:
-          type: string
+        hlsAllowOrigins:
+          type: array
+          items:
+            type: string
         hlsTrustedProxies:
           type: array
           items:
@@ -289,8 +299,10 @@ components:
           type: string
         webrtcServerCert:
           type: string
-        webrtcAllowOrigin:
-          type: string
+        webrtcAllowOrigins:
+          type: array
+          items:
+            type: string
         webrtcTrustedProxies:
           type: array
           items:

internal/api/api.go

@@ -94,7 +94,7 @@ type API struct {
 	Encryption     bool
 	ServerKey      string
 	ServerCert     string
-	AllowOrigin    string
+	AllowOrigins   []string
 	TrustedProxies conf.IPNetworks
 	ReadTimeout    conf.Duration
 	WriteTimeout   conf.Duration
@@ -119,7 +119,7 @@ func (a *API) Initialize() error {
 	router := gin.New()
 	router.SetTrustedProxies(a.TrustedProxies.ToTrustedProxies()) //nolint:errcheck
 
-	router.Use(a.middlewareOrigin)
+	router.Use(a.middlewarePreflightRequests)
 	router.Use(a.middlewareAuth)
 
 	group := router.Group("/v3")
@@ -195,6 +195,7 @@ func (a *API) Initialize() error {
 
 	a.httpServer = &httpp.Server{
 		Address:      a.Address,
+		AllowOrigins: a.AllowOrigins,
 		ReadTimeout:  time.Duration(a.ReadTimeout),
 		WriteTimeout: time.Duration(a.WriteTimeout),
 		Encryption:   a.Encryption,
@@ -234,11 +235,7 @@ func (a *API) writeError(ctx *gin.Context, status int, err error) {
 	})
 }
 
-func (a *API) middlewareOrigin(ctx *gin.Context) {
-	ctx.Header("Access-Control-Allow-Origin", a.AllowOrigin)
-	ctx.Header("Access-Control-Allow-Credentials", "true")
-
-	// preflight requests
+func (a *API) middlewarePreflightRequests(ctx *gin.Context) {
 	if ctx.Request.Method == http.MethodOptions &&
 		ctx.Request.Header.Get("Access-Control-Request-Method") != "" {
 		ctx.Header("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PATCH, DELETE")

internal/api/api_test.go

@@ -83,7 +83,7 @@ func checkError(t *testing.T, msg string, body io.Reader) {
 func TestPreflightRequest(t *testing.T) {
 	api := API{
 		Address:      "localhost:9997",
-		AllowOrigin:  "*",
+		AllowOrigins: []string{"*"},
 		ReadTimeout:  conf.Duration(10 * time.Second),
 		WriteTimeout: conf.Duration(10 * time.Second),
 		AuthManager:  test.NilAuthManager,

internal/conf/allowed_origins.go

@@ -0,0 +1,4 @@
+package conf
+
+// AllowedOrigins is a list of allowed CORS origins.
+type AllowedOrigins []string