fix: restrict CORS to configured origins (closes #40)

- Add CORSOrigins config field (UPAAS_CORS_ORIGINS env var) - Default to same-origin only (no CORS headers when unconfigured) - When configured, allow specified origins with AllowCredentials: true - Add tests for CORS middleware behavior
2026-02-19 13:45:18 -08:00
parent 506c795f16
commit 02847eea92
6 changed files with 105 additions and 61 deletions
--- a/internal/models/app.go
+++ b/internal/models/app.go
@@ -32,23 +32,23 @@ const (
 type App struct {
 	db *database.Database

-	ID             string
-	Name           string
-	RepoURL        string
-	Branch         string
-	DockerfilePath string
+	ID                string
+	Name              string
+	RepoURL           string
+	Branch            string
+	DockerfilePath    string
 	WebhookSecret     string
 	WebhookSecretHash string
 	SSHPrivateKey     string
-	SSHPublicKey   string
-	ImageID         sql.NullString
-	PreviousImageID sql.NullString
-	Status          AppStatus
-	DockerNetwork  sql.NullString
-	NtfyTopic      sql.NullString
-	SlackWebhook   sql.NullString
-	CreatedAt      time.Time
-	UpdatedAt      time.Time
+	SSHPublicKey      string
+	ImageID           sql.NullString
+	PreviousImageID   sql.NullString
+	Status            AppStatus
+	DockerNetwork     sql.NullString
+	NtfyTopic         sql.NullString
+	SlackWebhook      sql.NullString
+	CreatedAt         time.Time
+	UpdatedAt         time.Time
 }

 // NewApp creates a new App with a database reference.