Skip to content

[Platform API] Add CORS configuration to server settings and update .gitignore#2489

Merged
Thushani-Jayasekera merged 2 commits into
wso2:mainfrom
Thushani-Jayasekera:sec
Jul 7, 2026
Merged

[Platform API] Add CORS configuration to server settings and update .gitignore#2489
Thushani-Jayasekera merged 2 commits into
wso2:mainfrom
Thushani-Jayasekera:sec

Conversation

@Thushani-Jayasekera

Copy link
Copy Markdown
Contributor
  • Introduced CORS struct in the server configuration to manage allowed origins for credentialed requests.
  • Updated validation logic to ensure non-wildcard origins are specified when not in demo mode.
  • Enhanced CORS middleware to conditionally allow credentials based on the configured origins.
  • Added entries to .gitignore to exclude sensitive key material and local directories from version control.

- Introduced CORS struct in the server configuration to manage allowed origins for credentialed requests.
- Updated validation logic to ensure non-wildcard origins are specified when not in demo mode.
- Enhanced CORS middleware to conditionally allow credentials based on the configured origins.
- Added entries to .gitignore to exclude sensitive key material and local directories from version control.
@Thushani-Jayasekera Thushani-Jayasekera changed the title Add CORS configuration to server settings and update .gitignore [Platform API] Add CORS configuration to server settings and update .gitignore Jul 7, 2026
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5feb04d4-e9b3-4aea-9ccb-007e6c320fe0

📥 Commits

Reviewing files that changed from the base of the PR and between f737461 and 7658177.

📒 Files selected for processing (2)
  • httpkit/middleware/cors.go
  • platform-api/internal/server/server.go

📝 Walkthrough

Walkthrough

Updates shared CORS handling to fail closed for empty allowlists, adds platform-api CORS configuration and environment mapping, validates non-demo startup allowlists, wires server middleware from config, and expands ignore rules for local secrets and checkouts.

Changes

CORS Security Fix and Configuration

Layer / File(s) Summary
CORS middleware credential guard
httpkit/middleware/cors.go
Access-Control-Allow-Credentials is now sent only when credentials are enabled and the resolved origin is not *; empty allowlists now resolve to deny instead of wildcard allow-all.
CORS config schema and env mapping
platform-api/config/config.go, platform-api/config/config.toml
Adds Server.CORS, defines AllowedOrigins, maps cors_allowed_origins to cors.allowed_origins, and documents the commented CORS example.
Server-side validation and middleware wiring
platform-api/internal/server/server.go
Non-demo startup now rejects empty or wildcard allowlists, and the CORS middleware uses configured origins with updated warnings and credential handling.
Ignore secrets and local checkouts
.gitignore
Adds ignore rules for platform-api/config/data/, platform-api/src/, **/*.key, and **/certs/*.pem.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Startup as Server Startup
  participant Config as Config Loader
  participant Validator as validateAuthConfig
  participant CORSSetup as StartPlatformAPIServer
  participant Middleware as applyCORSHeaders

  Startup->>Config: load cfg.CORS.AllowedOrigins
  Startup->>Validator: validate in non-demo mode
  Validator-->>Startup: reject empty or wildcard allowlist
  Startup->>CORSSetup: configure CORS middleware
  CORSSetup->>Middleware: pass AllowedOrigins and AllowCredentials
  Middleware->>Middleware: omit credentials for wildcard origin
Loading

Suggested reviewers: VirajSalaka, Tharsanan1, RakhithaRR, malinthaprasan, AnuGayan

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is only a bullet summary and omits required template sections like Purpose, Goals, Approach, tests, and security checks. Reformat it to the repository template and add the missing sections, including purpose, goals, approach, user stories, docs, tests, security, samples, related PRs, and test environment.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding CORS config and updating .gitignore.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies"


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 7, 2026
- Updated CORSOptions documentation to clarify that an empty allowlist denies all cross-origin access by default.
- Adjusted the CORS middleware to ensure that cross-origin requests are disabled unless explicitly allowed, with appropriate logging for configuration warnings.
- Removed the fallback to allow all origins in demo mode, enhancing security by requiring explicit opt-in for cross-origin access.
@malinthaprasan

Copy link
Copy Markdown
Contributor

Should by default disable CORS. inbuilt apps doesn't need this as they have BFFs.

@Thushani-Jayasekera
Thushani-Jayasekera merged commit 532bb6c into wso2:main Jul 7, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants