[ENH]: add Rust server config option for CORS allowed origins (#3861)

## Description of changes

Adds a config option for CORS allowed origins to the Rust server which
matches the behavior of the existing option on the Python side.

## Test plan
*How are these changes tested?*

Added a new test.

## Documentation Changes
*Are all docstrings for user-facing APIs updated if required? Do we need
to make documentation changes in the [docs
repository](https://github.com/chroma-core/docs)?*

Will need to update docs in
#3853.

Author: codetheweb

Cargo.lock

@@ -45,11 +45,13 @@ sha2 = "0.10.8"
 md5 = "0.7.0"
 regex = "1.11.1"
 pyo3 = { version = "0.23.3", features = ["abi3-py39"] }
-tower-http = { version = "0.6.2", features = ["trace"] }
+tower-http = { version = "0.6.2", features = ["trace", "cors"] }
 bytemuck = "1.21.0"
 validator = { version = "0.19", features = ["derive"] }
 rust-embed = { version = "8.5.0", features = ["include-exclude", "debug-embed"] }
 hnswlib = { version = "0.8.0", git = "https://github.com/chroma-core/hnswlib.git" }
+reqwest = { version = "0.12.9" }
+random-port = "0.1.1"
 
 chroma-benchmark = { path = "rust/benchmark" }
 chroma-blockstore = { path = "rust/blockstore" }

Cargo.toml

@@ -9,11 +9,7 @@ path = "src/lib.rs"
 [dependencies]
 anyhow = "1.0.93"
 async-tempfile = "0.6.0"
-async-compression = { version = "0.4.18", features = [
-  "tokio",
-  "gzip",
-  "bzip2",
-] }
+async-compression = { version = "0.4.18", features = ["tokio", "gzip", "bzip2"] }
 
 bincode = { workspace = true }
 clap = { workspace = true }
@@ -29,7 +25,7 @@ tokio = { workspace = true }
 uuid = { workspace = true }
 
 dirs = "5.0.1"
-reqwest = { version = "0.12.9", features = ["stream"] }
+reqwest = { workspace = true, features = ["stream"] }
 tokio-stream = { version = "0.1.16", features = ["full"] }
 tokio-util = "0.7.12"
 bloom = "0.3.2"

rust/benchmark/Cargo.toml

@@ -46,3 +46,7 @@ chroma-sqlite = { workspace = true }
 utoipa = { workspace = true }
 utoipa-axum = { version = "0.2.0", features = ["debug"] }
 utoipa-swagger-ui = { version = "9", features = ["axum"] }
+
+[dev-dependencies]
+reqwest = { workspace = true }
+random-port = { workspace = true }

rust/frontend/Cargo.toml

@@ -100,10 +100,12 @@ pub struct FrontendServerConfig {
     pub open_telemetry: Option<OpenTelemetryConfig>,
     #[serde(default)]
     pub persist_path: Option<String>,
+    #[serde(default)]
+    pub cors_allow_origins: Option<Vec<String>>,
 }
 
-const DEFAULT_CONFIG_PATH: &str = "./sample_configs/distributed.yaml";
-const DEFAULT_SINGLE_NODE_CONFIG_FILENAME: &str = "./sample_configs/single_node.yaml";
+const DEFAULT_CONFIG_PATH: &str = "sample_configs/distributed.yaml";
+const DEFAULT_SINGLE_NODE_CONFIG_FILENAME: &str = "sample_configs/single_node.yaml";
 
 #[derive(Embed)]
 #[folder = "./"]

rust/frontend/src/config.rs

@@ -29,6 +29,7 @@ use std::sync::{
     atomic::{AtomicBool, Ordering},
     Arc,
 };
+use tower_http::cors::CorsLayer;
 use utoipa::openapi::security::{ApiKey, ApiKeyValue, SecurityScheme};
 use utoipa::ToSchema;
 use utoipa::{Modify, OpenApi};
@@ -159,6 +160,7 @@ impl FrontendServer {
             listen_address,
             max_payload_size_bytes,
             circuit_breaker,
+            cors_allow_origins,
             ..
         } = self.config.clone();
 
@@ -239,7 +241,20 @@ impl FrontendServer {
             .merge(docs_router)
             .with_state(self)
             .layer(DefaultBodyLimit::max(max_payload_size_bytes));
-        let app = add_tracing_middleware(app);
+        let mut app = add_tracing_middleware(app);
+
+        if let Some(cors_allow_origins) = cors_allow_origins {
+            let origins = cors_allow_origins
+                .into_iter()
+                .map(|origin| origin.parse().unwrap())
+                .collect::<Vec<_>>();
+
+            let cors = CorsLayer::new()
+                .allow_origin(origins)
+                .allow_headers(tower_http::cors::Any)
+                .allow_methods(tower_http::cors::Any);
+            app = app.layer(cors);
+        }
 
         // TODO: tracing
         let addr = format!("{}:{}", listen_address, port);
@@ -1628,3 +1643,52 @@ impl Modify for ChromaTokenSecurityAddon {
     modifiers(&ChromaTokenSecurityAddon)
 )]
 struct ApiDoc;
+
+#[cfg(test)]
+mod tests {
+    use crate::{config::FrontendServerConfig, frontend::Frontend, FrontendServer};
+    use chroma_config::{registry::Registry, Configurable};
+    use chroma_system::System;
+    use std::sync::Arc;
+
+    #[tokio::test]
+    async fn test_cors() {
+        let registry = Registry::new();
+        let system = System::new();
+
+        let port = random_port::PortPicker::new().pick().unwrap();
+
+        let mut config = FrontendServerConfig::single_node_default();
+        config.port = port;
+        config.cors_allow_origins = Some(vec!["http://localhost:3000".to_string()]);
+
+        let frontend = Frontend::try_from_config(&(config.clone().frontend, system), &registry)
+            .await
+            .unwrap();
+        let app = FrontendServer::new(config, frontend, vec![], Arc::new(()), Arc::new(()));
+        tokio::task::spawn(async move {
+            app.run().await;
+        });
+
+        let client = reqwest::Client::new();
+        let res = client
+            .request(
+                reqwest::Method::OPTIONS,
+                format!("http://localhost:{}/api/v2/heartbeat", port),
+            )
+            .header("Origin", "http://localhost:3000")
+            .send()
+            .await
+            .unwrap();
+        assert_eq!(res.status(), 200);
+
+        let allow_origin = res.headers().get("Access-Control-Allow-Origin");
+        assert_eq!(allow_origin.unwrap(), "http://localhost:3000");
+
+        let allow_methods = res.headers().get("Access-Control-Allow-Methods");
+        assert_eq!(allow_methods.unwrap(), "*");
+
+        let allow_headers = res.headers().get("Access-Control-Allow-Headers");
+        assert_eq!(allow_headers.unwrap(), "*");
+    }
+}

rust/frontend/src/server.rs

@@ -27,5 +27,5 @@ opentelemetry_sdk = { workspace = true }
 chromadb = { git = "https://github.com/rescrv/chromadb-rs", rev = "540c3e225e92ecea05039b73b69adf5875385c0e" }
 guacamole = { version = "0.9", default-features = false }
 tower-http = { workspace = true }
-reqwest = { version = "0.12", features = ["json"] }
+reqwest = { workspace = true, features = ["json"] }
 siphasher = "1.0.1"

rust/load/Cargo.toml

@@ -68,7 +68,7 @@ fastrace = "0.7"
 fastrace-opentelemetry = "0.8"
 
 [dev-dependencies]
-random-port = "0.1.1"
+random-port = { workspace = true }
 serial_test = { workspace = true }
 criterion = { workspace = true }
 indicatif = { workspace = true }
@@ -99,4 +99,4 @@ harness = false
 
 [[bench]]
 name = "spann"
-harness = false
+harness = false