From 9215d9ba0f29d62201d3feea9e77dcd274581624 Mon Sep 17 00:00:00 2001 From: Gabe Kangas Date: Mon, 18 Dec 2023 22:05:49 -0800 Subject: [PATCH] fix(auth): limit admin cors access to only localhost:3000 --- router/middleware/auth.go | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/router/middleware/auth.go b/router/middleware/auth.go index 574610cdf..15f1f4776 100644 --- a/router/middleware/auth.go +++ b/router/middleware/auth.go @@ -25,11 +25,9 @@ func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc { password := data.GetAdminPassword() realm := "Owncast Authenticated Request" - // The following line is kind of a work around. - // If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the - // Access-Control-Allow-Origin header. So we just pull out the origin header and specify it. - // If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that. - w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin")) + // Alow CORS only for localhost:3000 to support Owncast development. + validAdminHost := "http://localhost:3000" + w.Header().Set("Access-Control-Allow-Origin", validAdminHost) w.Header().Set("Access-Control-Allow-Credentials", "true") w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")