GoSec_Cloud/gsc-shell-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: CORS so browsers can fetch shell config cross-origin

Browse Source 
Apps run on different hostnames (crm.gosec.internal,
chronos.gosec.internal, …) so the browser fetch from <AppShell> to
shell-api.gosec.internal is cross-origin and was being blocked.

Add Fiber's cors middleware. Allowlist: any *.gosec.internal or
*.gosec.cloud origin (override via CORS_ORIGINS env if a tighter
list is needed). Allow Authorization + Content-Type + If-None-Match
on the request side; expose ETag on the response side. Methods
limited to GET + OPTIONS.

Image: v0.1.4

Verified:
  curl -X OPTIONS https://shell-api.gosec.internal/api/v1/shell/gsc-crm
    -H "Origin: https://crm.gosec.internal" → 204 with
    access-control-allow-origin: https://crm.gosec.internal

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude
2026-05-10 13:24:16 +02:00
parent 7fb24e0452
commit bd62fcb599
3 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
cmd/server/main.go
View File

@@ -5,10 +5,12 @@ import (
"log"
"os"
"os/signal"
"strings"
"syscall"
"time"
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/cors"
"github.com/gofiber/fiber/v2/middleware/logger"
"github.com/gofiber/fiber/v2/middleware/recover"
@@ -48,6 +50,28 @@ func main() {
Format: `{"time":"${time}","status":${status},"method":"${method}","path":"${path}","latency":"${latency}","ip":"${ip}"}` + "\n",
}))
// CORS — apps run on different hostnames (crm.gosec.internal,
// chronos.gosec.internal, etc.) so the browser fetch is cross-origin.
// Allow gosec.internal app origins; AllowOrigins is comma-separated
// via env (CORS_ORIGINS). Default permits any *.gosec.internal /
// *.gosec.cloud origin via the AllowOriginsFunc fallback.
corsConfig := cors.Config{
AllowMethods: "GET,OPTIONS",
AllowHeaders: "Authorization,Content-Type,If-None-Match",
ExposeHeaders: "ETag",
AllowCredentials: false,
MaxAge: 600,
}
if cfg.CORSAllowOrigins != "" {
corsConfig.AllowOrigins = cfg.CORSAllowOrigins
} else {
corsConfig.AllowOriginsFunc = func(origin string) bool {
return strings.HasSuffix(origin, ".gosec.internal") ||
strings.HasSuffix(origin, ".gosec.cloud")
}
}
app.Use(cors.New(corsConfig))
health := &handlers.HealthHandlers{DB: database}
app.Get("/healthz", health.Live)
app.Get("/readyz", health.Ready)