Added AllowedOrigins CORS Configuration setting (#217)

* Added `AllowOrigins` setting * Renamed to `AllowedOrigins`
sancsoft · Jul 6, 2024 · e1b3993 · e1b3993
1 parent 6174845
commit e1b3993
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/src/dotnet/HQ.Server/Program.cs b/src/dotnet/HQ.Server/Program.cs
@@ -87,10 +87,7 @@
 builder.Services.AddScoped<IAuthorizationHandler, ProjectStatusReportAuthorizationHandler>();
 builder.Services.AddScoped<IAuthorizationHandler, TimeEntryAuthorizationHandler>();
 
-builder.Services.AddCors(options =>
-{
-    options.AddPolicy("AllowAny", policy => policy.AllowAnyHeader().AllowAnyOrigin().WithExposedHeaders("Content-Disposition")); // TODO: Replace with explicit allow URLs
-});
+builder.Services.AddCors();
 
 builder.Services.AddControllersWithViews(options =>
 {
@@ -216,7 +213,12 @@
 
 app.UseHttpsRedirection();
 
-app.UseCors("AllowAny");
+var corsAllowOrigin = app.Configuration.GetSection("AllowedOrigins").Get<string[]>() ?? [];
+app.UseCors(policy => policy
+    .WithOrigins(corsAllowOrigin)
+    .AllowAnyHeader()
+    .AllowAnyMethod()
+    .WithExposedHeaders("Content-Disposition"));
 
 app.UseAuthentication();
 app.UseAuthorization();

diff --git a/src/dotnet/HQ.Server/appsettings.json b/src/dotnet/HQ.Server/appsettings.json
@@ -31,6 +31,7 @@
     "From": "",
     "FromDisplayName": "HQ"
   },
+  "AllowedOrigins": ["http://localhost:4200", "http://hq.localhost:4200"],
   "ForwardedHeadersOptions": {
     "ForwardedHeaders": "XForwardedFor,XForwardedProto",
     "KnownProxies": [