make CORS feature configurable via environment variable

README.md

@@ -7,6 +7,7 @@ Zookeeper REST API
 
 - [Zoorest](#zoorest)
     - [Usage](#usage)
+    - [CORS](#cors)
     - [API v1](#api-v1)
         - [List node childrens](#list-node-childrens)
             - [Errors](#errors)
@@ -70,6 +71,21 @@ Typical usage scheme:
 
 [![tupical usage](img/usage.png)](img/usage.png)
 
+### CORS
+`Cross-origin resource sharing` is a feature that securely allows access to a zoorest instance from a web browser.   This is an optional feature and is disabled by default.  It is enabled and configured via OS environment variables.
+
+**ZOOREST_CORS_ENABLE**
+    enable the feature.  Any non-empty value is considered "true" and enables it.
+    **default:  false**
+
+**ZOOREST_CORS_DEBUG_ENABLE**
+    enable CORS debug mode Any non-null value is considered "true" and enables it.
+    **default: false**
+
+**ZOOREST_CORS_ALLOWED_ORIGINS**
+    comma delimited list of origin url patterns to allow access to the service.
+    **default: \***    (any origin)
+
 ## API v1
 
 ### List node childrens

main.go

@@ -3,16 +3,24 @@ package main
 import (
 	"flag"
 	"github.com/Difrex/zoorest/rest"
+	"os"
 	"strings"
 )
 
+const (
+	CorsFeatureEnableEnvVar string = `ZOOREST_CORS_ENABLE`
+	CorsDebugModeEnvVar     string = `ZOOREST_CORS_DEBUG_ENABLE`
+	CorsAllowedOrigins      string = `ZOOREST_CORS_ALLOWED_ORIGINS`
+)
+
 var (
 	zk       string
 	listen   string
 	path     string
 	mc       bool
 	mcHosts  string
 	mcPrefix string
+	ok       bool
 )
 
 // init ...
@@ -49,7 +57,34 @@ func main() {
 
 	zoo.MC = MC
 
-	rest.Serve(listen, zoo)
+	// get CORS settins from environment
+	// start by establishing defaults.
+	var cors = rest.CorsOptions{
+		Enabled:        false,
+		DebugEnabled:   false,
+		AllowedOrigins: []string{"*"},
+	}
+
+	var corsEnabled string
+	var ok bool
+	corsEnabled, ok = os.LookupEnv(CorsFeatureEnableEnvVar)
+	if ok && corsEnabled != "" {
+		cors.Enabled = true
+	}
+
+	var corsDebugEnabled string
+	corsDebugEnabled, ok = os.LookupEnv(CorsDebugModeEnvVar)
+	if ok && corsDebugEnabled != "" {
+		cors.DebugEnabled = true
+	}
+
+	var corsAllowedOrigins string
+	corsAllowedOrigins, ok = os.LookupEnv(CorsAllowedOrigins)
+	if ok && corsAllowedOrigins != "" {
+		cors.AllowedOrigins = strings.Split(corsAllowedOrigins, ",")
+	}
+
+	rest.Serve(listen, zoo, cors)
 }
 
 // getSlice returm slice

rest/api.go

@@ -39,6 +39,12 @@ type GetJSON struct {
 	Data   interface{} `json:"data"`
 }
 
+type CorsOptions struct {
+	Enabled        bool
+	DebugEnabled   bool
+	AllowedOrigins []string
+}
+
 // LS ...
 func (zk ZooNode) LS(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
@@ -210,7 +216,7 @@ func (zk ZooNode) GetJSON(w http.ResponseWriter, r *http.Request) {
 }
 
 // Serve ...
-func Serve(listen string, zk ZooNode) {
+func Serve(listen string, zk ZooNode, cors_options CorsOptions) {
 	r := mux.NewRouter()
 
 	// API v1
@@ -227,16 +233,22 @@ func Serve(listen string, zk ZooNode) {
 	r.HandleFunc("/v2{path:[A-Za-z0-9-_/.:]+}", zk.RM).Methods("DELETE")
 	r.HandleFunc("/v2{path:[A-Za-z0-9-_/.:]+}", zk.UP).Methods("PUT", "POST", "PATCH")
 
-	c := cors.New(cors.Options{
-		AllowedMethods: []string{"GET", "LIST", "DELETE", "PUT", "POST", "PATCH"},
-
-		// Enable Debugging for testing, consider disabling in production
-		Debug: true,
-	})
+	var handler http.Handler
 
-	handler := c.Handler(r)
+	if cors_options.Enabled {
+		c := cors.New(cors.Options{
+			AllowedMethods: []string{"GET", "LIST", "DELETE", "PUT", "POST", "PATCH"},
+			AllowedOrigins: cors_options.AllowedOrigins,
+			// Enable Debugging for testing, consider disabling in production
+			Debug: cors_options.DebugEnabled,
+		})
 
-	http.Handle("/", handler)
+		// decorate with cors handler
+		handler = c.Handler(r)
+	} else {
+		// default to no
+		handler = r
+	}
 
 	srv := http.Server{
 		Handler:      handler,