fix: restrict CORS to configured origins (closes #40)

- Add CORSOrigins config field (UPAAS_CORS_ORIGINS env var) - Default to same-origin only (no CORS headers when unconfigured) - When configured, allow specified origins with AllowCredentials: true - Add tests for CORS middleware behavior
2026-02-19 13:45:18 -08:00
parent 506c795f16
commit 02847eea92
6 changed files with 105 additions and 61 deletions
--- a/internal/middleware/cors_test.go
+++ b/internal/middleware/cors_test.go
@@ -11,6 +11,7 @@ import (
 	"git.eeqj.de/sneak/upaas/internal/config"
 )

+//nolint:gosec // test credentials
 func newCORSTestMiddleware(corsOrigins string) *Middleware {
 	return &Middleware{
 		log: slog.Default(),
@@ -24,6 +25,8 @@ func newCORSTestMiddleware(corsOrigins string) *Middleware {
 }

 func TestCORS_NoOriginsConfigured_NoCORSHeaders(t *testing.T) {
+	t.Parallel()
+
 	m := newCORSTestMiddleware("")
 	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -31,6 +34,7 @@ func TestCORS_NoOriginsConfigured_NoCORSHeaders(t *testing.T) {

 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.Header.Set("Origin", "https://evil.com")
+
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)

@@ -39,6 +43,8 @@ func TestCORS_NoOriginsConfigured_NoCORSHeaders(t *testing.T) {
 }

 func TestCORS_OriginsConfigured_AllowsMatchingOrigin(t *testing.T) {
+	t.Parallel()
+
 	m := newCORSTestMiddleware("https://app.example.com,https://other.example.com")
 	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -46,6 +52,7 @@ func TestCORS_OriginsConfigured_AllowsMatchingOrigin(t *testing.T) {

 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.Header.Set("Origin", "https://app.example.com")
+
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)

@@ -56,6 +63,8 @@ func TestCORS_OriginsConfigured_AllowsMatchingOrigin(t *testing.T) {
 }

 func TestCORS_OriginsConfigured_RejectsNonMatchingOrigin(t *testing.T) {
+	t.Parallel()
+
 	m := newCORSTestMiddleware("https://app.example.com")
 	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -63,6 +72,7 @@ func TestCORS_OriginsConfigured_RejectsNonMatchingOrigin(t *testing.T) {

 	req := httptest.NewRequest(http.MethodGet, "/", nil)
 	req.Header.Set("Origin", "https://evil.com")
+
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)