CORS issues making requests from Buf Studio

[hdevalence]

Describe the bug

CORS issues prevent Buf studio from making requests to the GRPC endpoints.

To Reproduce

https://buf.build/studio/penumbra-zone/penumbra/main/penumbra.core.component.shielded_pool.v1alpha1.QueryService/DenomMetadataById?target=https%3A%2F%2Fgrpc.testnet.penumbra.zone&selectedProtocol=grpc-web&share=swqq5lJQUEosLk4t8UxRslIAcYECmXl5qUVArpJHuJFroXFoVFiwU0lJfmh5aKa%2Bb2iJq3lRkVFoqLl%2BqIepgUFSZYG5v2OyrRJQby1XLQA

Fails in Firefox and iOS safari

Expected behavior

Making requests should just work

[conorsch]

Try again. I've implemented CORS headers on the grpc service for testnet, but not (yet) for preview:

❯ curl -I https://grpc.testnet.penumbra.zone
HTTP/2 200 
access-control-allow-credentials: true
access-control-allow-headers: accept,x-grpc-web,x-user-agent,content-type,user-agent
access-control-allow-origin: https://buf.build
content-type: application/grpc
date: Fri, 03 Nov 2023 22:50:43 GMT
grpc-status: 12
content-length: 0

❯ curl -I https://grpc.testnet-preview.penumbra.zone
HTTP/2 200 
content-type: application/grpc
date: Fri, 03 Nov 2023 22:50:46 GMT
grpc-status: 12
content-length: 0

You should therefore be able to use Buf Studio with the testnet grpc, but not with preview grpc. Can you confirm? Once the CORS config is solid, I'll add a PR to this repo to make sure it's always added, so it'll stick around, even on preview re-deploys.

[conorsch]

Initial report shows working in Safari. I'm leaving this issue open as a reminder to update preview to match.

[conorsch]

Headers are serving:

❯ curl -I https://grpc.testnet.penumbra.zone
HTTP/2 200 
access-control-allow-headers: accept,x-grpc-web,x-user-agent,content-type,user-agent
access-control-allow-origin: https://buf.build
content-type: application/grpc
date: Mon, 06 Nov 2023 22:35:23 GMT
grpc-status: 12
content-length: 0

❯ curl -I https://grpc.testnet-preview.penumbra.zone
HTTP/2 200 
access-control-allow-headers: accept,x-grpc-web,x-user-agent,content-type,user-agent
access-control-allow-origin: https://buf.build
content-type: application/grpc
date: Mon, 06 Nov 2023 22:35:26 GMT
grpc-status: 12
content-length: 0

via automatic deploy in https://github.com/penumbra-zone/penumbra/actions/runs/6777204344

[hdevalence]

We don't want to special-case Buf Studio, we want GRPC to work from arbitrary web contexts.

[conorsch]

Ah, I misunderstood. In that case, we'll want:

• access-control-allow-origin: *
• access-control-allow-methods: *

Which seems to have decent support cross-browser.

[hdevalence]

This is still broken. Steps to reproduce:

1. pd testnet join
2. pd start --home ... & cometbft start --home ...
3. Set endpoint to http://localhost:8080 in Buf Studio
4. Get "CORS Missing Allow Origin" (in Firefox, and presumably other browsers).

We can't fix this by special casing for Buf studio specifically or for the testnet infrastructure Penumbra Labs happens to run. The node software has to work out of the box.

[hdevalence]

https://docs.rs/tower-http/0.4.4/tower_http/cors/struct.AllowOrigin.html#method.any

2nd example block https://docs.rs/tonic-web/latest/tonic_web/index.html#enabling-tonic-services

https://docs.rs/tonic-web/latest/src/tonic_web/lib.rs.html#128-155

[conorsch]

OK, we should be good to go here. I've added CORS support inside pd, and removed the RP middleware. When running locally, I'm able to use Buf Studio against http://localhost:8080 just fine, although for the SimulateTrade RPC to work, I have to provide --enable-expensive-rpc to pd start. I'm also able to run the same against https://grpc.testnet-preview.penumbra.zone, so I'm closing this issue, but don't hesitate to reopen if I've missed something.