feat: CORS so browsers can fetch shell config cross-origin

Apps run on different hostnames (crm.gosec.internal, chronos.gosec.internal, …) so the browser fetch from <AppShell> to shell-api.gosec.internal is cross-origin and was being blocked. Add Fiber's cors middleware. Allowlist: any *.gosec.internal or *.gosec.cloud origin (override via CORS_ORIGINS env if a tighter list is needed). Allow Authorization + Content-Type + If-None-Match on the request side; expose ETag on the response side. Methods limited to GET + OPTIONS. Image: v0.1.4 Verified: curl -X OPTIONS https://shell-api.gosec.internal/api/v1/shell/gsc-crm -H "Origin: https://crm.gosec.internal" → 204 with access-control-allow-origin: https://crm.gosec.internal Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 13:24:16 +02:00
parent 7fb24e0452
commit bd62fcb599
3 changed files with 27 additions and 1 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -14,6 +14,7 @@ type Config struct {
 	KeycloakDiscovery string // optional in-cluster discovery URL override
 	KeycloakAudCSV    string // comma-separated allowed audiences (client_id values)
 	CacheTTLSeconds   int    // for client-side Cache-Control hint
+	CORSAllowOrigins  string // comma-separated; empty = allow *.gosec.internal/*.gosec.cloud
 }

 func Load() (*Config, error) {
@@ -24,6 +25,7 @@ func Load() (*Config, error) {
 		KeycloakAudCSV:    os.Getenv("KEYCLOAK_AUDIENCES"),
 		DatabaseURL:       os.Getenv("DATABASE_URL"),
 		CacheTTLSeconds:   60,
+		CORSAllowOrigins:  os.Getenv("CORS_ORIGINS"),
 	}
 	if p := os.Getenv("PORT"); p != "" {
 		v, err := strconv.Atoi(p)