Merge pull request #89 from aplijobs/feature/cors_webwidget

Security | Adding CORS domain restriction based on webwidget url and widget filtering

app/controllers/widgets_controller.rb

@@ -9,6 +9,7 @@ class WidgetsController < ActionController::Base
   before_action :set_token
   before_action :set_contact
   before_action :build_contact
+  before_action :check_domain
   after_action :allow_iframe_requests
 
   private
@@ -24,6 +25,13 @@ def set_web_widget
     render json: { error: 'web widget does not exist' }, status: :not_found
   end
 
+  def check_domain
+    return if request.base_url.downcase.start_with? @web_widget.website_url.downcase
+
+    Rails.logger.error('web widget does not match with expected domain')
+    render json: { error: 'web widget does not match with expected domain' }, status: :not_found
+  end
+
   def set_token
     @token = permitted_params[:cw_conversation]
     @auth_token_params = if @token.present?

config/initializers/cors.rb

@@ -1,18 +1,58 @@
 # config/initializers/cors.rb
 # ref: https://github.com/cyu/rack-cors
 
-# font cors issue with CDN
-# Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
-Rails.application.config.middleware.insert_before 0, Rack::Cors do
-  allow do
-    origins '*'
-    resource '/packs/*', headers: :any, methods: [:get, :options]
-    resource '/audio/*', headers: :any, methods: [:get, :options]
-    # Make the public endpoints accessible to the frontend
-    resource '/public/api/*', headers: :any, methods: :any
-
-    if ActiveModel::Type::Boolean.new.cast(ENV.fetch('CW_API_ONLY_SERVER', false)) || Rails.env.development?
-      resource '*', headers: :any, methods: :any, expose: %w[access-token client uid expiry]
+# rubocop:disable Rails/ApplicationRecord
+class WebWidget < ActiveRecord::Base
+  self.table_name = 'channel_web_widgets'
+end
+# rubocop:enable Rails/ApplicationRecord
+
+unless ENV.fetch('FRONTEND_URL', nil).nil?
+  Rails.application.config.middleware.insert_before 0, Rack::Cors do
+    allow do
+      origins ENV.fetch('FRONTEND_URL', '')
+      resource '/packs/*', headers: :any, methods: [:get, :options]
+      resource '/audio/*', headers: :any, methods: [:get, :options]
+      # Make the public endpoints accessible to the frontend
+      resource '/public/api/*', headers: :any, methods: :any
+
+      if ActiveModel::Type::Boolean.new.cast(ENV.fetch('CW_API_ONLY_SERVER', false)) || Rails.env.development?
+        resource '*', headers: :any, methods: :any, expose: %w[access-token client uid expiry]
+      end
+    end
+  end
+end
+
+if ENV.fetch('CORS_WIDGET_CONFIG', true)
+  WebWidget.all.each do |widget|
+    # font cors issue with CDN
+    # Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
+    Rails.application.config.middleware.insert_before 0, Rack::Cors do
+      allow do
+        origins widget.website_url
+        resource '/packs/*', headers: :any, methods: [:get, :options]
+        resource '/audio/*', headers: :any, methods: [:get, :options]
+        # Make the public endpoints accessible to the frontend
+        resource '/public/api/*', headers: :any, methods: :any
+
+        if ActiveModel::Type::Boolean.new.cast(ENV.fetch('CW_API_ONLY_SERVER', false)) || Rails.env.development?
+          resource '*', headers: :any, methods: :any, expose: %w[access-token client uid expiry]
+        end
+      end
+    end
+  end
+else
+  Rails.application.config.middleware.insert_before 0, Rack::Cors do
+    allow do
+      origins '*'
+      resource '/packs/*', headers: :any, methods: [:get, :options]
+      resource '/audio/*', headers: :any, methods: [:get, :options]
+      # Make the public endpoints accessible to the frontend
+      resource '/public/api/*', headers: :any, methods: :any
+
+      if ActiveModel::Type::Boolean.new.cast(ENV.fetch('CW_API_ONLY_SERVER', false)) || Rails.env.development?
+        resource '*', headers: :any, methods: :any, expose: %w[access-token client uid expiry]
+      end
     end
   end
 end