goadesign
Question/Feature: [CORS] Setting origin at runtime
I'm building an HTTP REST service with goa and the CORS plugin.
My question: Is it possible to set the CORS origin at runtime? I don't want to bake the origin into the generated server. I can't find a solution for this problem, have I overseen something?
Possible solution: The origin could be, for example, set by an environment variable?
cors.Origin("$CORS_ORIGIN", func() {
// ...
})
And the generated code could then be something like this:
// ...
if cors.MatchOrigin(origin, os.Getenv("CORS_ORIGIN")) {
/// ...
Just an idea though, other ways to set it dynamically would be fine too.
If there is a way to achieve something like this currently, please tell me.
Thanks! :)
Hello, you are correct that there is no way to do that at the moment. I'd be curious to understand a bit more about the use case? could you use a regular expression that allows for multiple origins (e.g. if it's to support multiple environments)?
Thanks for clarifying. 👍
In my project, I'm building my own backend and frontend. Both could be self-hosted by other people on their own servers.
It would be nice if the backend could be shipped as just one self-contained binary, but hard coding the CORS origin would not make this possible (without allowing any origin).
But maybe I am on the completely wrong path 😅
I also have considered that this would be a useful feature. However, my use case would be running the app in different environments. I would want to set one ONLY for local development, a different one for a staging environment and most importantly I would want the production one to be completely separate.
It would be possible to combine them all into one large regex, but I don't want anything but the production url to be permitted in production.
Currently the only way I can see that this is possible would be to script the design file itself so that the string is replaced just before goa is run on the design file. This feels however like something that would be a sensible feature of the plugin itself.
It could potentially be an option in the dsl where you would specify the an environment variable. This might mean creating a variant of the cors dsl methods themselves which get a value this way instead of the regular way. Ex.
cors.OriginEnv("APP_URL", func() {
})
There could be much cleaner ways, but that's just the first one that comes to mind. I'd be interested to hear other potential solutions!
Yeah, that could work and is probably the easiest way to implement the desired behavior. A cleaner way might be for the plugin to override the generated server struct (https://github.com/goadesign/plugins/blob/6962488b0bf6c21dacd44e4be0f28898f32504e9/cors/examples/calc/gen/http/calc/server/server.go#L23-L28) and add an "Origin" field that the generated code then uses instead of the hardcoded string (https://github.com/goadesign/plugins/blob/6962488b0bf6c21dacd44e4be0f28898f32504e9/cors/examples/calc/gen/http/calc/server/server.go#L190).
@raphael , gotcha. I think I might give this one a go myself. I'll see if I can put up a PR for this in the next week.
@NicolasBissig , you should be good to go on this once the next release goes out! However, feel free to wait to close this issue until you are able to try for yourself! :)
@raphael , do you think it would be possible to do a release of the plug-ins this week so that we can start making use of this feature? Thanks! 😊