From 44519c3b048dc14faf1c1f67bfa0a67a823b81a2 Mon Sep 17 00:00:00 2001
From: chesedo <pieter@chesedo.me>
Date: Tue, 14 May 2024 10:47:33 +0100
Subject: [PATCH 1/3] refactor: allow cors from preview environments

---
 docker-compose.dev.yml    |  2 +-
 gateway/src/api/latest.rs | 16 +++++++++-------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 4706a2ea5..7896b5040 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -88,7 +88,7 @@ services:
       - "--provisioner-uri=http://provisioner:8000"
       - "--proxy-fqdn=${APPS_FQDN}"
       - "--use-tls=${USE_TLS}"
-      - "--cors-origin=http://localhost:3001"
+      - "--cors-origin=getsynth.vercel.app"
       - "--admin-key=${GATEWAY_ADMIN_KEY}"
       - "--permit-api-uri=https://api.eu-central-1.permit.io"
       - "--permit-pdp-uri=http://permit-pdp:7000"
diff --git a/gateway/src/api/latest.rs b/gateway/src/api/latest.rs
index 2d2b9f575..e6707ec93 100644
--- a/gateway/src/api/latest.rs
+++ b/gateway/src/api/latest.rs
@@ -15,7 +15,7 @@ use axum::{Json as AxumJson, Router};
 use fqdn::FQDN;
 use futures::Future;
 use http::header::AUTHORIZATION;
-use http::{HeaderValue, Method, StatusCode, Uri};
+use http::{request, HeaderValue, Method, StatusCode, Uri};
 use instant_acme::{AccountCredentials, ChallengeType};
 use serde::{Deserialize, Serialize};
 use shuttle_backends::auth::{AuthPublicKey, JwtAuthenticationLayer, ScopedLayer};
@@ -39,7 +39,7 @@ use shuttle_proto::provisioner::Ping;
 use tokio::sync::mpsc::Sender;
 use tokio::sync::{Mutex, MutexGuard};
 use tower::ServiceBuilder;
-use tower_http::cors::CorsLayer;
+use tower_http::cors::{AllowOrigin, CorsLayer};
 use tracing::{debug, error, field, info, instrument, trace, warn, Span};
 use ttl_cache::TtlCache;
 use ulid::Ulid;
@@ -1194,15 +1194,17 @@ impl ApiBuilder {
     }
 
     pub fn with_cors(mut self, cors_origin: &str) -> Self {
+        let cors_origin = cors_origin.to_owned();
+
         let cors_layer = CorsLayer::new()
             .allow_methods(vec![Method::GET, Method::POST, Method::DELETE])
             .allow_headers(vec![AUTHORIZATION])
             .max_age(Duration::from_secs(60) * 10)
-            .allow_origin(
-                cors_origin
-                    .parse::<HeaderValue>()
-                    .expect("to be able to parse the CORS origin"),
-            );
+            .allow_origin(AllowOrigin::predicate(
+                move |origin: &HeaderValue, _request_parts: &request::Parts| {
+                    origin.as_bytes().ends_with(cors_origin.as_bytes())
+                },
+            ));
 
         self.router = self.router.layer(cors_layer);
 

From c47a2039565c7adbf046bb0b73f3391fd3c076fc Mon Sep 17 00:00:00 2001
From: chesedo <pieter@chesedo.me>
Date: Tue, 14 May 2024 11:45:03 +0100
Subject: [PATCH 2/3] refactor: separate cors origin for staging

---
 .circleci/config.yml   | 6 ++++++
 Makefile               | 3 +++
 docker-compose.dev.yml | 2 +-
 docker-compose.yml     | 2 +-
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index cdf419570..6e9092817 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -356,6 +356,9 @@ jobs:
       gateway-admin-key:
         description: "Admin API key that authorizes gateway requests to auth service, for key to jwt conversion."
         type: string
+      cors-origin:
+        description: "Where CORS requests are allowed from"
+        type: string
       permit-api-key:
         description: "Permit.io API key for the Permit environment that matches the current ${SHUTTLE_ENV}."
         type: string
@@ -386,6 +389,7 @@ jobs:
             AUTH_JWTSIGNING_PRIVATE_KEY=${<< parameters.jwt-signing-private-key >>} \
             CONTROL_DB_POSTGRES_URI=${<< parameters.control-db-postgres-uri >>} \
             GATEWAY_ADMIN_KEY=${<< parameters.gateway-admin-key >>} \
+            CORS_ORIGIN=${<< parameters.cors-origin >>} \
             PERMIT_API_KEY=${<< parameters.permit-api-key >>} \
             make deploy
       - when:
@@ -753,6 +757,7 @@ workflows:
           jwt-signing-private-key: DEV_AUTH_JWTSIGNING_PRIVATE_KEY
           control-db-postgres-uri: DEV_CONTROL_DB_POSTGRES_URI
           gateway-admin-key: DEV_GATEWAY_ADMIN_KEY
+          cors-origin: getsynth.vercel.app
           permit-api-key: STAGING_PERMIT_API_KEY
           requires:
             - build-and-push-unstable
@@ -838,6 +843,7 @@ workflows:
           jwt-signing-private-key: PROD_AUTH_JWTSIGNING_PRIVATE_KEY
           control-db-postgres-uri: PROD_CONTROL_DB_POSTGRES_URI
           gateway-admin-key: PROD_GATEWAY_ADMIN_KEY
+          cors-origin: console.shuttle.rs
           permit-api-key: PROD_PERMIT_API_KEY
           ssh-fingerprint: 6a:c5:33:fe:5b:c9:06:df:99:64:ca:17:0d:32:18:2e
           ssh-config-script: production-ssh-config.sh
diff --git a/Makefile b/Makefile
index e36fdb7be..d961755f2 100644
--- a/Makefile
+++ b/Makefile
@@ -76,6 +76,8 @@ DEV_SUFFIX=-dev
 DEPLOYS_API_KEY?=gateway4deployes
 GATEWAY_ADMIN_KEY?=dh9z58jttoes3qvt
 
+CORS_ORIGIN?=localhost:3001
+
 # this should use the same version as our prod RDS database
 CONTROL_DB_POSTGRES_TAG?=15
 CONTROL_DB_POSTGRES_PASSWORD?=postgres
@@ -126,6 +128,7 @@ DOCKER_COMPOSE_ENV=\
 	STRIPE_SECRET_KEY=$(STRIPE_SECRET_KEY)\
 	AUTH_JWTSIGNING_PRIVATE_KEY=$(AUTH_JWTSIGNING_PRIVATE_KEY)\
 	GATEWAY_ADMIN_KEY=$(GATEWAY_ADMIN_KEY)\
+	CORS_ORIGIN=$(CORS_ORIGIN)\
 	DD_ENV=$(DD_ENV)\
 	USE_TLS=$(USE_TLS)\
 	COMPOSE_PROFILES=$(COMPOSE_PROFILES)\
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 7896b5040..0d65600a2 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -88,7 +88,7 @@ services:
       - "--provisioner-uri=http://provisioner:8000"
       - "--proxy-fqdn=${APPS_FQDN}"
       - "--use-tls=${USE_TLS}"
-      - "--cors-origin=getsynth.vercel.app"
+      - "--cors-origin=${CORS_ORIGIN}"
       - "--admin-key=${GATEWAY_ADMIN_KEY}"
       - "--permit-api-uri=https://api.eu-central-1.permit.io"
       - "--permit-pdp-uri=http://permit-pdp:7000"
diff --git a/docker-compose.yml b/docker-compose.yml
index 9670fda2b..639ba44a3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -122,7 +122,7 @@ services:
       - "--provisioner-uri=http://provisioner:8000"
       - "--proxy-fqdn=${APPS_FQDN}"
       - "--use-tls=${USE_TLS}"
-      - "--cors-origin=https://console.shuttle.rs"
+      - "--cors-origin=${CORS_ORIGIN}"
       - "--admin-key=${GATEWAY_ADMIN_KEY}"
       - "--permit-api-uri=https://api.eu-central-1.permit.io"
       - "--permit-pdp-uri=http://permit-pdp:7000"

From 6b03309320a13a22264ca8be25990cf47f65b4be Mon Sep 17 00:00:00 2001
From: chesedo <pieter@chesedo.me>
Date: Tue, 14 May 2024 12:00:03 +0100
Subject: [PATCH 3/3] refactor: not a secret; don't escape

---
 .circleci/config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 6e9092817..60cf7776b 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -389,7 +389,7 @@ jobs:
             AUTH_JWTSIGNING_PRIVATE_KEY=${<< parameters.jwt-signing-private-key >>} \
             CONTROL_DB_POSTGRES_URI=${<< parameters.control-db-postgres-uri >>} \
             GATEWAY_ADMIN_KEY=${<< parameters.gateway-admin-key >>} \
-            CORS_ORIGIN=${<< parameters.cors-origin >>} \
+            CORS_ORIGIN=<< parameters.cors-origin >> \
             PERMIT_API_KEY=${<< parameters.permit-api-key >>} \
             make deploy
       - when: