[Platform API] Add CORS configuration to server settings and update .gitignore#2489
Conversation
Thushani-Jayasekera
commented
Jul 7, 2026
- Introduced CORS struct in the server configuration to manage allowed origins for credentialed requests.
- Updated validation logic to ensure non-wildcard origins are specified when not in demo mode.
- Enhanced CORS middleware to conditionally allow credentials based on the configured origins.
- Added entries to .gitignore to exclude sensitive key material and local directories from version control.
- Introduced CORS struct in the server configuration to manage allowed origins for credentialed requests. - Updated validation logic to ensure non-wildcard origins are specified when not in demo mode. - Enhanced CORS middleware to conditionally allow credentials based on the configured origins. - Added entries to .gitignore to exclude sensitive key material and local directories from version control.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughUpdates shared CORS handling to fail closed for empty allowlists, adds platform-api CORS configuration and environment mapping, validates non-demo startup allowlists, wires server middleware from config, and expands ignore rules for local secrets and checkouts. ChangesCORS Security Fix and Configuration
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant Startup as Server Startup
participant Config as Config Loader
participant Validator as validateAuthConfig
participant CORSSetup as StartPlatformAPIServer
participant Middleware as applyCORSHeaders
Startup->>Config: load cfg.CORS.AllowedOrigins
Startup->>Validator: validate in non-demo mode
Validator-->>Startup: reject empty or wildcard allowlist
Startup->>CORSSetup: configure CORS middleware
CORSSetup->>Middleware: pass AllowedOrigins and AllowCredentials
Middleware->>Middleware: omit credentials for wildcard origin
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.12.2)level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies" Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Updated CORSOptions documentation to clarify that an empty allowlist denies all cross-origin access by default. - Adjusted the CORS middleware to ensure that cross-origin requests are disabled unless explicitly allowed, with appropriate logging for configuration warnings. - Removed the fallback to allow all origins in demo mode, enhancing security by requiring explicit opt-in for cross-origin access.
|
Should by default disable CORS. inbuilt apps doesn't need this as they have BFFs. |