feat: set CORS URLs endpoint (#472)

* feat: set CORS URLs endpoint

* remove debug

Author: arcoraven

src/server/routes/configuration/cors/add.ts

@@ -10,16 +10,15 @@ import { ReplySchema } from "./get";
 const BodySchema = Type.Object({
   urlsToAdd: Type.Array(
     Type.String({
-      description:
-        "Comma separated list of origins to allow CORS for. Thirdweb URLs are automatically added.",
+      description: "Comma separated list of origins that will call Engine",
       minLength: 1,
     }),
   ),
 });
 
 BodySchema.examples = [
   {
-    urlsToAdd: ["https://example.com", "https://example2.com"],
+    urlsToAdd: ["https://example.com", "https://subdomain.example.com"],
   },
 ];
 

src/server/routes/configuration/cors/get.ts

@@ -3,9 +3,10 @@ import { FastifyInstance } from "fastify";
 import { StatusCodes } from "http-status-codes";
 import { getConfig } from "../../../../utils/cache/getConfig";
 import { standardResponseSchema } from "../../../schemas/sharedApiSchemas";
+import { mandatoryAllowedCorsUrls } from "../../../utils/cors-urls";
 
 export const ReplySchema = Type.Object({
-  result: Type.Union([Type.Array(Type.String()), Type.String(), Type.Null()]),
+  result: Type.Array(Type.String()),
 });
 
 export async function getCorsConfiguration(fastify: FastifyInstance) {
@@ -27,8 +28,13 @@ export async function getCorsConfiguration(fastify: FastifyInstance) {
     handler: async (req, res) => {
       const config = await getConfig(false);
 
+      // Omit required domains.
+      const omitted = config.accessControlAllowOrigin
+        .split(",")
+        .filter((url) => !mandatoryAllowedCorsUrls.includes(url));
+
       res.status(200).send({
-        result: config.accessControlAllowOrigin.split(","),
+        result: omitted,
       });
     },
   });

src/server/routes/configuration/cors/remove.ts

@@ -10,14 +10,14 @@ import { ReplySchema } from "./get";
 const BodySchema = Type.Object({
   urlsToRemove: Type.Array(
     Type.String({
-      description: "Comma separated list urls",
+      description: "Comma separated list of origins to remove",
     }),
   ),
 });
 
 BodySchema.examples = [
   {
-    urlsToRemove: ["https://example.com", "https://example2.com"],
+    urlsToRemove: ["https://example.com", "https://subdomain.example.com"],
   },
 ];
 

src/server/routes/configuration/cors/set.ts

@@ -0,0 +1,63 @@
+import { Static, Type } from "@sinclair/typebox";
+import { FastifyInstance } from "fastify";
+import { StatusCodes } from "http-status-codes";
+import { updateConfiguration } from "../../../../db/configuration/updateConfiguration";
+import { getConfig } from "../../../../utils/cache/getConfig";
+import { standardResponseSchema } from "../../../schemas/sharedApiSchemas";
+import { mandatoryAllowedCorsUrls } from "../../../utils/cors-urls";
+import { ReplySchema } from "./get";
+
+const BodySchema = Type.Object({
+  urls: Type.Array(
+    Type.String({
+      description: "Comma separated list of origins that will call Engine",
+      minLength: 1,
+    }),
+  ),
+});
+
+BodySchema.examples = [
+  {
+    urls: ["https://example.com", "https://subdomain.example.com"],
+  },
+];
+
+export async function setUrlsToCorsConfiguration(fastify: FastifyInstance) {
+  fastify.route<{
+    Body: Static<typeof BodySchema>;
+    Reply: Static<typeof ReplySchema>;
+  }>({
+    method: "PUT",
+    url: "/configuration/cors",
+    schema: {
+      summary: "Set CORS URLs",
+      description:
+        "Replaces the CORS URLs to allow client-side calls to Engine",
+      tags: ["Configuration"],
+      operationId: "setUrlsToCorsConfiguration",
+      body: BodySchema,
+      response: {
+        ...standardResponseSchema,
+        [StatusCodes.OK]: ReplySchema,
+      },
+    },
+    handler: async (req, res) => {
+      const urls = req.body.urls.map((url) => url.trim());
+
+      // Add required domains and dedupe.
+      const dedupe = Array.from(
+        new Set([...urls, ...mandatoryAllowedCorsUrls]),
+      );
+
+      await updateConfiguration({
+        accessControlAllowOrigin: dedupe.join(","),
+      });
+
+      // Fetch and return the updated configuration
+      const config = await getConfig(false);
+      res.status(200).send({
+        result: config.accessControlAllowOrigin.split(","),
+      });
+    },
+  });
+}

src/server/routes/index.ts

@@ -116,6 +116,7 @@ import { sendSignedUserOp } from "./transaction/blockchain/sendSignedUserOp";
 import { checkGroupStatus } from "./transaction/group";
 
 // Indexer
+import { setUrlsToCorsConfiguration } from "./configuration/cors/set";
 import { getContractEventLogs } from "./contract/events/getContractEventLogs";
 import { getEventLogs } from "./contract/events/getEventLogsByTimestamp";
 import { pageEventLogs } from "./contract/events/paginateEventLogs";
@@ -162,6 +163,7 @@ export const withRoutes = async (fastify: FastifyInstance) => {
   await fastify.register(getCorsConfiguration);
   await fastify.register(addUrlToCorsConfiguration);
   await fastify.register(removeUrlToCorsConfiguration);
+  await fastify.register(setUrlsToCorsConfiguration);
   await fastify.register(getCacheConfiguration);
   await fastify.register(updateCacheConfiguration);