implement CORS headers in API (#358)

cmd/bee/cmd/start.go

@@ -39,6 +39,7 @@ func (c *command) initStartCmd() (err error) {
 		optionNameDebugAPIAddr       = "debug-api-addr"
 		optionNameBootnodes          = "bootnode"
 		optionNameNetworkID          = "network-id"
+		optionCORSAllowedOrigins     = "cors-allowed-origins"
 		optionNameTracingEnabled     = "tracing"
 		optionNameTracingEndpoint    = "tracing-endpoint"
 		optionNameTracingServiceName = "tracing-service-name"
@@ -105,6 +106,7 @@ func (c *command) initStartCmd() (err error) {
 				DisableQUIC:        c.config.GetBool(optionNameP2PDisableQUIC),
 				NetworkID:          c.config.GetUint64(optionNameNetworkID),
 				Bootnodes:          c.config.GetStringSlice(optionNameBootnodes),
+				CORSAllowedOrigins: c.config.GetStringSlice(optionCORSAllowedOrigins),
 				TracingEnabled:     c.config.GetBool(optionNameTracingEnabled),
 				TracingEndpoint:    c.config.GetString(optionNameTracingEndpoint),
 				TracingServiceName: c.config.GetString(optionNameTracingServiceName),
@@ -166,6 +168,7 @@ func (c *command) initStartCmd() (err error) {
 	cmd.Flags().Bool(optionNameEnableDebugAPI, false, "enable debug HTTP API")
 	cmd.Flags().String(optionNameDebugAPIAddr, ":6060", "debug HTTP API listen address")
 	cmd.Flags().Uint64(optionNameNetworkID, 1, "ID of the Swarm network")
+	cmd.Flags().StringSlice(optionCORSAllowedOrigins, []string{}, "origins with CORS headers enabled")
 	cmd.Flags().Bool(optionNameTracingEnabled, false, "enable tracing")
 	cmd.Flags().String(optionNameTracingEndpoint, "127.0.0.1:6831", "endpoint to send tracing data")
 	cmd.Flags().String(optionNameTracingServiceName, "bee", "service name identifier for tracing")

pkg/api/api.go

@@ -26,10 +26,11 @@ type server struct {
 }
 
 type Options struct {
-	Tags   *tags.Tags
-	Storer storage.Storer
-	Logger logging.Logger
-	Tracer *tracing.Tracer
+	Tags               *tags.Tags
+	Storer             storage.Storer
+	CORSAllowedOrigins []string
+	Logger             logging.Logger
+	Tracer             *tracing.Tracer
 }
 
 func New(o Options) Service {

pkg/api/router.go

@@ -59,6 +59,27 @@ func (s *server) setupRouting() {
 		handlers.CompressHandler,
 		// todo: add recovery handler
 		s.pageviewMetricsHandler,
+		func(h http.Handler) http.Handler {
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				if o := r.Header.Get("Origin"); o != "" && (s.CORSAllowedOrigins == nil || containsOrigin(o, s.CORSAllowedOrigins)) {
+					w.Header().Set("Access-Control-Allow-Credentials", "true")
+					w.Header().Set("Access-Control-Allow-Origin", o)
+					w.Header().Set("Access-Control-Allow-Headers", "Origin, Accept, Authorization, Content-Type, X-Requested-With, Access-Control-Request-Headers, Access-Control-Request-Method")
+					w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS, POST, PUT, DELETE")
+					w.Header().Set("Access-Control-Max-Age", "3600")
+				}
+				h.ServeHTTP(w, r)
+			})
+		},
 		web.FinalHandler(router),
 	)
 }
+
+func containsOrigin(s string, l []string) (ok bool) {
+	for _, e := range l {
+		if e == s || e == "*" {
+			return true
+		}
+	}
+	return false
+}

pkg/node/node.go

@@ -78,6 +78,7 @@ type Options struct {
 	DisableQUIC        bool
 	NetworkID          uint64
 	Bootnodes          []string
+	CORSAllowedOrigins []string
 	Logger             logging.Logger
 	TracingEnabled     bool
 	TracingEndpoint    string
@@ -291,10 +292,11 @@ func NewBee(o Options) (*Bee, error) {
 	if o.APIAddr != "" {
 		// API server
 		apiService = api.New(api.Options{
-			Tags:   tag,
-			Storer: ns,
-			Logger: logger,
-			Tracer: tracer,
+			Tags:               tag,
+			Storer:             ns,
+			CORSAllowedOrigins: o.CORSAllowedOrigins,
+			Logger:             logger,
+			Tracer:             tracer,
 		})
 		apiListener, err := net.Listen("tcp", o.APIAddr)
 		if err != nil {