Skip to content

Restrict CORS for Builder Secret Keys #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
VojtechVitek merged 1 commit into from
Dec 11, 2024
Merged

Restrict CORS for Builder Secret Keys #31

VojtechVitek merged 1 commit into from
Dec 11, 2024

Conversation

@VojtechVitek
Copy link
Contributor

@VojtechVitek VojtechVitek commented Dec 10, 2024
edited
Loading

@VojtechVitek VojtechVitek force-pushed the restrict-cors-for-builder-secret-keys branch from cd2f6b3 to f692ffa Compare December 10, 2024 15:25
@VojtechVitek VojtechVitek force-pushed the restrict-cors-for-builder-secret-keys branch from f692ffa to 592dec4 Compare December 10, 2024 15:26
VojtechVitek
VojtechVitek commented Dec 10, 2024
View reviewed changes
middleware.go
Comment on lines +216 to +229
origin := r.Header.Get("Origin")
if origin != "" {
err := proto.ErrSecretKeyCorsDisallowed.WithCausef("project_id: %v", projectClaim)

slog.ErrorContext(ctx, "CORS disallowed for Secret Key",
slog.Any("error", err),
slog.String("origin", origin),
slog.Uint64("project_id", uint64(projectClaim)),
)

// TODO: Uncomment once we're confident it won't disrupt major customers.
// cfg.ErrHandler(r, w, err)
// return
}
Copy link
Contributor Author

@VojtechVitek VojtechVitek Dec 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, this will only log error with origin and project_id fields, if we encounter a Secret Key misused from a web app.

Eventually, we will error out instead, once we're confident it won't disrupt major customers.

@VojtechVitek VojtechVitek merged commit addf813 into master Dec 11, 2024
2 checks passed
@VojtechVitek VojtechVitek deleted the restrict-cors-for-builder-secret-keys branch December 11, 2024 11:06
@VojtechVitek
Copy link
Contributor Author

VojtechVitek commented Dec 11, 2024

Works fine in node-gateway:

resource.type="k8s_container"
resource.labels.cluster_name="sequence-b27697b"
resource.labels.namespace_name="dev-sequence"
"CORS disallowed for Secret Key"

Screenshot 2024-12-11 at 3 15 14 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@klaidliadon klaidliadon klaidliadon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@VojtechVitek @klaidliadon