change cors to allow any origin on dev environment

3PillarGlobal-Czechia / interview-app-api

API for Interview App.

MIT License

3 stars 1 forks source link

change cors to allow any origin on dev environment #70

Closed TomasNiemczyk98 closed 2 years ago

TomasNiemczyk98 commented 2 years ago

Summary

Changed CORS on dev environment to allow requests from any origin

Types of changes

[X] Bug fix (non-breaking change which fixes an issue)
[ ] Refactoring (non-breaking change to code and structure)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)

TomasNiemczyk98 commented 2 years ago

@PlesnikJakub can we discuss how to correctly configure CORS?

PlesnikJakub commented 2 years ago

@PlesnikJakub can we discuss how to correctly configure CORS?

Hey, it would be great if you could explore what is the best practice.

AllowAllOrigins is probably not the right call, I can imagine that for apps in development mode or in a dev environment but anything else should probably have strict rules about origins.

The only complication I can see there is that you will probably need to have information about the frontend URL which we can evade for now by hardcoding this value for production mode. (since we have one env, no harm)

TomasNiemczyk98 commented 2 years ago

@PlesnikJakub There are only 3 ways this can be done that I am aware of 1) Front end and back end running under same domain name and accepting only requests from that domain (ideal production scenario, not great for development?) 2) Allowing all origins and making the app only available inside some local network (most likely not an option if development environment is hosted in the cloud) 3) Allow requests from specific ip address range (3PG VPN?) which makes the app available only through the VPN (most likely this solution)

PlesnikJakub commented 2 years ago

@TomasNiemczyk98 based on this example I think you don't need to use IPs but you can use URLs which should be fine for our usecase. https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-6.0

I would propose to have a frontend URL in appsettings.json and allow it as the origin.

PlesnikJakub commented 2 years ago

🔥Treat that settings property as array 🔥 to allow multiple origins if needed

sonarcloud[bot] commented 2 years ago

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication