Support CORS on OpenMRS using Nginx configuration

[githengi]

Enable Support CORS on OpenMRS using Nginx configuration

Add variables that will control if

• CORS is enabled
• Domains that CORS is enabled
• CORS max age

Below is an example of a working config on reveal stage

location /openmrs {
    proxy_read_timeout 86400s;
    proxy_pass http://localhost:8081/openmrs;
    proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-Proto https;
    proxy_redirect off;
    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '$cors_allowed_domains';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'origin, content-type, accept, x-requested-with, Authorization';
        add_header 'Access-Control-Max-Age' $cors_max_age;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
     }
     if ($request_method = 'POST') {
        add_header 'Access-Control-Allow-Origin' '$cors_allowed_domains';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'origin, content-type, accept, x-requested-with, Authorization';
     }
     if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '$cors_allowed_domains';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'origin, content-type, accept, x-requested-with, Authorization';
     }
  }

Reference
https://enable-cors.org/server_nginx.html

[jasonrogena]

Two things that have come up when discussing this with @githengi are:

1. If we are to do this, we should probably limit to only the endpoints that need this.
2. Question: What are the security implications? The fact that we are hesitant to add the DELETE method is (maybe) an indication that we shouldn't also add the POST method.

[moshthepitt]

@githengi @jasonrogena

I personally feel really uncomfortable about this, informed by the discussion we had around the same area. OpenMRS type data to me seems exactly the kind that we need an intermediate for (based on our brand new policy in this same area) which in my view should naturally be the OpenSRP web server and so I would vote very much against doing this change on OpenMRS directly.

[moshthepitt]

☝️Especially given the fact that the JS client side app in this case will have to use basic authentication, which means that that username and password will be available in the JS for anyone (else) to use.

[jasonrogena]

OK. Going to block until team discusses further.

[githengi]

Am also in support with blocking this until the team discusses further this approach.

I also like the idea of proxying requests to OpenMRS from OpenSRP server from a security stand point.