Cors: more finegrained allowlist, make it simpler

2023-12-17 10:25:56 +00:00 · 2023-12-17 10:25:56 +00:00 · 55f3b23eed
commit 55f3b23eed
parent 98ce0408f7
7 changed files with 19 additions and 40 deletions
--- a/2
+++ b/2
@ -18,7 +18,7 @@ webui-build: webui-deps
@PHONY: devserver
 devserver:
 	echo -n '' > /tmp/rqbit-log
-	CORS_DEBUG=1 cargo run --release -- \
+	cargo run --release -- \
 		--log-file /tmp/rqbit-log \
 		--log-file-rust-log=debug,librqbit=trace \
 		server start /tmp/scratch/
--- a/crates/librqbit/src/http_api.rs
+++ b/crates/librqbit/src/http_api.rs
@ -10,7 +10,7 @@ use serde::{Deserialize, Serialize};
 use std::net::SocketAddr;
 use std::str::FromStr;
 use std::time::Duration;
-use tracing::{debug, info, warn};
+use tracing::{debug, info};

 use axum::Router;

@ -31,7 +31,6 @@ pub struct HttpApi {

 #[derive(Debug, Default)]
 pub struct HttpApiOptions {
-    pub cors_enable_all: bool,
    pub read_only: bool,
 }

@ -260,18 +259,24 @@ impl HttpApi {
            app = app.nest("/web/", webui_router);
        }

-        let enable_cors = std::env::var("CORS_DEBUG").is_ok() || self.opts.cors_enable_all;
-
-        // This is to develop webui by just doing "open index.html && tsc --watch"
-        let cors_layer = if enable_cors {
+        let cors_layer = {
            use tower_http::cors::{AllowHeaders, AllowOrigin};

-            warn!("CorsLayer: allowing everything");
+            const ALLOWED_ORIGINS: [&[u8]; 4] = [
+                // Webui-dev
+                b"http://localhost:3031",
+                b"http://127.0.0.1:3031",
+                // Tauri dev
+                b"http://localhost:1420",
+                // Tauri prod
+                b"tauri://localhost",
+            ];
+
            tower_http::cors::CorsLayer::default()
-                .allow_origin(AllowOrigin::predicate(|_, _| true))
+                .allow_origin(AllowOrigin::predicate(|v, _| {
+                    ALLOWED_ORIGINS.contains(&v.as_bytes())
+                }))
                .allow_headers(AllowHeaders::any())
-        } else {
-            Default::default()
        };

        let app = app
--- a/crates/librqbit/webui/src/components/TorrentsList.tsx
+++ b/crates/librqbit/webui/src/components/TorrentsList.tsx
@ -19,9 +19,7 @@ export const TorrentsList = (props: {
        <p className="text-center">No existing torrents found.</p>
      ) : (
        props.torrents.map((t: TorrentId) => (
-          <>
-            <Torrent id={t.id} key={t.id} torrent={t} />
-          </>
+          <Torrent id={t.id} key={t.id} torrent={t} />
        ))
      )}
    </div>
--- a/crates/rqbit/src/main.rs
+++ b/crates/rqbit/src/main.rs
@ -339,13 +339,7 @@ async fn async_main(opts: Opts) -> anyhow::Result<()> {
                    Some(log_config.rust_log_reload_tx),
                    Some(log_config.line_broadcast),
                );
-                let http_api = HttpApi::new(
-                    api,
-                    Some(HttpApiOptions {
-                        read_only: false,
-                        cors_enable_all: false,
-                    }),
-                );
+                let http_api = HttpApi::new(api, Some(HttpApiOptions { read_only: false }));
                let http_api_listen_addr = opts.http_api_listen_addr;
                http_api
                    .make_http_api_and_run(http_api_listen_addr)
@ -430,13 +424,7 @@ async fn async_main(opts: Opts) -> anyhow::Result<()> {
                    Some(log_config.rust_log_reload_tx),
                    Some(log_config.line_broadcast),
                );
-                let http_api = HttpApi::new(
-                    api,
-                    Some(HttpApiOptions {
-                        cors_enable_all: false,
-                        read_only: true,
-                    }),
-                );
+                let http_api = HttpApi::new(api, Some(HttpApiOptions { read_only: true }));
                let http_api_listen_addr = opts.http_api_listen_addr;
                librqbit_spawn(
                    "http_api",
--- a/desktop/src-tauri/src/config.rs
+++ b/desktop/src-tauri/src/config.rs
@ -88,7 +88,6 @@ pub struct RqbitDesktopConfigHttpApi {
    pub disable: bool,
    pub listen_addr: SocketAddr,
    pub read_only: bool,
-    pub cors_enable_all: bool,
 }

 impl Default for RqbitDesktopConfigHttpApi {
@ -97,7 +96,6 @@ impl Default for RqbitDesktopConfigHttpApi {
            disable: Default::default(),
            listen_addr: SocketAddr::V4(SocketAddrV4::new(Ipv4Addr::new(127, 0, 0, 1), 3030)),
            read_only: false,
-            cors_enable_all: true,
        }
    }
 }
--- a/desktop/src-tauri/src/main.rs
+++ b/desktop/src-tauri/src/main.rs
@ -103,7 +103,6 @@ async fn api_from_config(
        let http_api_task = librqbit::http_api::HttpApi::new(
            api.clone(),
            Some(librqbit::http_api::HttpApiOptions {
-                cors_enable_all: config.http_api.cors_enable_all,
                read_only: config.http_api.read_only,
            }),
        )
--- a/desktop/src/configure.tsx
+++ b/desktop/src/configure.tsx
@ -343,15 +343,6 @@ export const ConfigModal: React.FC<{
              help="If enabled, only GET requests will be allowed through the API"
            />

-            <FormCheck
-              label="CORS any"
-              name="http_api.cors_enable_all"
-              checked={config.http_api.cors_enable_all}
-              disabled={config.http_api.disable}
-              onChange={handleToggleChange}
-              help="If enabled, the API will allow Cross Origin requests (including this app)"
-            />
-
            <FormInput
              label="Listen address"
              inputType="text"