Cors: more finegrained allowlist, make it simpler

2023-12-17 10:25:56 +00:00 · 2023-12-17 10:25:56 +00:00 · 55f3b23eed
commit 55f3b23eed
parent 98ce0408f7
7 changed files with 19 additions and 40 deletions
--- a/crates/librqbit/src/http_api.rs
+++ b/crates/librqbit/src/http_api.rs
@ -10,7 +10,7 @@ use serde::{Deserialize, Serialize};
 use std::net::SocketAddr;
 use std::str::FromStr;
 use std::time::Duration;
-use tracing::{debug, info, warn};
+use tracing::{debug, info};

 use axum::Router;

@ -31,7 +31,6 @@ pub struct HttpApi {

 #[derive(Debug, Default)]
 pub struct HttpApiOptions {
-    pub cors_enable_all: bool,
    pub read_only: bool,
 }

@ -260,18 +259,24 @@ impl HttpApi {
            app = app.nest("/web/", webui_router);
        }

-        let enable_cors = std::env::var("CORS_DEBUG").is_ok() || self.opts.cors_enable_all;
-
-        // This is to develop webui by just doing "open index.html && tsc --watch"
-        let cors_layer = if enable_cors {
+        let cors_layer = {
            use tower_http::cors::{AllowHeaders, AllowOrigin};

-            warn!("CorsLayer: allowing everything");
+            const ALLOWED_ORIGINS: [&[u8]; 4] = [
+                // Webui-dev
+                b"http://localhost:3031",
+                b"http://127.0.0.1:3031",
+                // Tauri dev
+                b"http://localhost:1420",
+                // Tauri prod
+                b"tauri://localhost",
+            ];
+
            tower_http::cors::CorsLayer::default()
-                .allow_origin(AllowOrigin::predicate(|_, _| true))
+                .allow_origin(AllowOrigin::predicate(|v, _| {
+                    ALLOWED_ORIGINS.contains(&v.as_bytes())
+                }))
                .allow_headers(AllowHeaders::any())
-        } else {
-            Default::default()
        };

        let app = app
--- a/crates/librqbit/webui/src/components/TorrentsList.tsx
+++ b/crates/librqbit/webui/src/components/TorrentsList.tsx
@ -19,9 +19,7 @@ export const TorrentsList = (props: {
        <p className="text-center">No existing torrents found.</p>
      ) : (
        props.torrents.map((t: TorrentId) => (
-          <>
-            <Torrent id={t.id} key={t.id} torrent={t} />
-          </>
+          <Torrent id={t.id} key={t.id} torrent={t} />
        ))
      )}
    </div>
--- a/crates/rqbit/src/main.rs
+++ b/crates/rqbit/src/main.rs
@ -339,13 +339,7 @@ async fn async_main(opts: Opts) -> anyhow::Result<()> {
                    Some(log_config.rust_log_reload_tx),
                    Some(log_config.line_broadcast),
                );
-                let http_api = HttpApi::new(
-                    api,
-                    Some(HttpApiOptions {
-                        read_only: false,
-                        cors_enable_all: false,
-                    }),
-                );
+                let http_api = HttpApi::new(api, Some(HttpApiOptions { read_only: false }));
                let http_api_listen_addr = opts.http_api_listen_addr;
                http_api
                    .make_http_api_and_run(http_api_listen_addr)
@ -430,13 +424,7 @@ async fn async_main(opts: Opts) -> anyhow::Result<()> {
                    Some(log_config.rust_log_reload_tx),
                    Some(log_config.line_broadcast),
                );
-                let http_api = HttpApi::new(
-                    api,
-                    Some(HttpApiOptions {
-                        cors_enable_all: false,
-                        read_only: true,
-                    }),
-                );
+                let http_api = HttpApi::new(api, Some(HttpApiOptions { read_only: true }));
                let http_api_listen_addr = opts.http_api_listen_addr;
                librqbit_spawn(
                    "http_api",