From 16bb54bebe98c2a034c9051da568625228b3dcd4 Mon Sep 17 00:00:00 2001
From: crapStone <crapstone@noreply.codeberg.org>
Date: Mon, 2 May 2022 15:15:16 +0200
Subject: [PATCH] Fix cors issue (#1331)

closes #1326

Co-authored-by: crapStone <crapstone01@gmail.com>
Reviewed-on: https://codeberg.org/Calciumdibromid/CaBr2/pulls/1331
Reviewed-by: Epsilon_02 <epsilon_02@noreply.codeberg.org>
---
 webserver/src/main.rs | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/webserver/src/main.rs b/webserver/src/main.rs
index 42c8e4eea..61f495cd4 100644
--- a/webserver/src/main.rs
+++ b/webserver/src/main.rs
@@ -14,26 +14,30 @@ use crate::impls::{
 #[derive(StructOpt, Debug)]
 #[structopt(name = "basic")]
 struct Opt {
-  // socket address the webserver will start listening on
-  #[structopt(short, long, default_value = "0.0.0.0:3030")]
+  /// socket address the webserver will start listening on
+  #[structopt(short, long, default_value = "127.0.0.1:3030")]
   address: String,
 
-  // folder where created pdfs to download are stored
+  /// folder where created pdfs to download are stored
   #[structopt(long, default_value = "/tmp/cabr2_server/created")]
   download_folder: PathBuf,
 
-  // cache folder
+  /// cache folder
   #[structopt(long, default_value = "/tmp/cabr2_server/cache")]
   cache_folder: PathBuf,
 
-  // public address that will be used to generate the download links
+  /// public address that will be used to generate the download links
   #[structopt(short, long, default_value = "https://api.cabr2.de")]
   public_address: String,
 
-  // domain which is allowed to make requests to the webserver,
-  // this is a security header which will be set on responses
-  #[structopt(short, long, default_value = "")]
-  cors_allow_origin: String,
+  /// domain which is allowed to make requests to the webserver,
+  /// this is a security header which will be set on responses
+  #[structopt(short, long)]
+  cors_allow_origin: Vec<String>,
+
+  /// allow any origin when requests are sent with CORS
+  #[structopt(long)]
+  cors_allow_any: bool,
 }
 
 #[tokio::main]
@@ -131,14 +135,19 @@ pub async fn main() {
 
   let downloads_folder = warp::path("download").and(warp::fs::dir(opt.download_folder));
 
-  let cors = if opt.cors_allow_origin.is_empty() {
+  let cors = if opt.cors_allow_any {
+    log::warn!("Every origin is allowed for CORS requests!");
     warp::cors()
       .allow_any_origin()
       .allow_methods(vec!["GET", "POST"])
       .allow_headers(vec!["content-type"])
   } else {
+    if opt.cors_allow_origin.is_empty() {
+      log::warn!("No origin(s) specified for CORS requests! Every CORS request will fail!");
+    }
+
     warp::cors()
-      .allow_origin(opt.cors_allow_origin.as_str())
+      .allow_origins(opt.cors_allow_origin.iter().map(|s| s.as_str()).collect::<Vec<&str>>())
       .allow_methods(vec!["GET", "POST"])
       .allow_headers(vec!["content-type"])
   };