From 5d2cdb40f5007dd5b779418ce8aa748b82fb6d5a Mon Sep 17 00:00:00 2001
From: Sojan Jose <sojan@pepalo.com>
Date: Tue, 5 Jul 2022 15:00:17 +0200
Subject: [PATCH] chore: Disable CORS on public API endpoints (#4970)

fixes: #3070
---
 config/environments/development.rb | 14 +-------------
 config/environments/production.rb  | 24 -----------------------
 config/environments/staging.rb     | 15 ---------------
 config/environments/test.rb        | 10 ----------
 config/initializers/cors.rb        | 31 ++++++++++++++++++++++++++++++
 5 files changed, 32 insertions(+), 62 deletions(-)
 create mode 100644 config/initializers/cors.rb

diff --git a/config/environments/development.rb b/config/environments/development.rb
index 9791505d9..df991758b 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -76,17 +76,5 @@ Rails.application.configure do
     Bullet.bullet_logger = true
     Bullet.rails_logger = true
   end
-
-  # ref: https://github.com/cyu/rack-cors
-  config.middleware.insert_before 0, Rack::Cors do
-    allow do
-      origins '*'
-      resource '/packs/*', headers: :any, methods: [:get, :options]
-      resource '/audio/*', headers: :any, methods: [:get, :options]
-      resource '*', headers: :any, methods: :any, expose: ['access-token', 'client', 'uid', 'expiry']
-    end
-  end
-
-  # ref : https://medium.com/@emikaijuin/connecting-to-action-cable-without-rails-d39a8aaa52d5
-  config.action_cable.disable_request_forgery_protection = true
+  
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index ac0567c62..a9504fc5c 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -42,16 +42,6 @@ Rails.application.configure do
   # Store uploaded files on the local file system (see config/storage.yml for options)
   config.active_storage.service = ENV.fetch('ACTIVE_STORAGE_SERVICE', 'local').to_sym
 
-  # Mount Action Cable outside main process or domain
-  # config.action_cable.mount_path = nil
-  # config.action_cable.url = 'wss://example.com/cable'
-
-  # to enable connecting to the API channel public APIs
-  config.action_cable.disable_request_forgery_protection = true
-  # if ENV['FRONTEND_URL'].present?
-  #   config.action_cable.allowed_request_origins = [ENV['FRONTEND_URL'], %r{https?://#{URI.parse(ENV['FRONTEND_URL']).host}(:[0-9]+)?}]
-  # end
-
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = ActiveModel::Type::Boolean.new.cast(ENV.fetch('FORCE_SSL', false))
 
@@ -113,18 +103,4 @@ Rails.application.configure do
   config.action_mailbox.ingress = ENV.fetch('RAILS_INBOUND_EMAIL_SERVICE', 'relay').to_sym
 
   Rails.application.routes.default_url_options = { host: ENV['FRONTEND_URL'] }
-
-  # font cors issue with CDN
-  # Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
-  # ref: https://github.com/cyu/rack-cors
-  config.middleware.insert_before 0, Rack::Cors do
-    allow do
-      origins '*'
-      resource '/packs/*', headers: :any, methods: [:get, :options]
-      resource '/audio/*', headers: :any, methods: [:get, :options]
-      if ActiveModel::Type::Boolean.new.cast(ENV.fetch('CW_API_ONLY_SERVER', false))
-        resource '*', headers: :any, methods: :any, expose: ['access-token', 'client', 'uid', 'expiry']
-      end
-    end
-  end
 end
diff --git a/config/environments/staging.rb b/config/environments/staging.rb
index 241b3f9a7..ed7cc0e84 100644
--- a/config/environments/staging.rb
+++ b/config/environments/staging.rb
@@ -34,11 +34,6 @@ Rails.application.configure do
   # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
   # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
 
-  # Mount Action Cable outside main process or domain
-  # config.action_cable.mount_path = nil
-  # config.action_cable.url = 'wss://example.com/cable'
-  # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
-
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = ActiveModel::Type::Boolean.new.cast(ENV.fetch('FORCE_SSL', false))
 
@@ -80,14 +75,4 @@ Rails.application.configure do
 
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
-
-  # font cors issue with CDN
-  # Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
-  config.middleware.insert_before 0, Rack::Cors do
-    allow do
-      origins '*'
-      resource '/packs/*', headers: :any, methods: [:get, :options]
-      resource '/audio/*', headers: :any, methods: [:get, :options]
-    end
-  end
 end
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 3dfe52c68..4d9e77c8e 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -51,14 +51,4 @@ Rails.application.configure do
   # Raises error for missing translations.
   # config.action_view.raise_on_missing_translations = true
   config.log_level = ENV.fetch('LOG_LEVEL', 'debug').to_sym
-
-  # font cors issue with CDN
-  # Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
-  config.middleware.insert_before 0, Rack::Cors do
-    allow do
-      origins '*'
-      resource '/packs/*', headers: :any, methods: [:get, :options]
-      resource '/audio/*', headers: :any, methods: [:get, :options]
-    end
-  end
 end
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
new file mode 100644
index 000000000..1d516370f
--- /dev/null
+++ b/config/initializers/cors.rb
@@ -0,0 +1,31 @@
+# config/initializers/cors.rb
+# ref: https://github.com/cyu/rack-cors
+
+# font cors issue with CDN
+# Ref: https://stackoverflow.com/questions/56960709/rails-font-cors-policy
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins '*'
+    resource '/packs/*', headers: :any, methods: [:get, :options]
+    resource '/audio/*', headers: :any, methods: [:get, :options]
+    # Make the public endpoints accessible to the frontend
+    resource '/public/api/*', headers: :any, methods: :any
+
+    if ActiveModel::Type::Boolean.new.cast(ENV.fetch('CW_API_ONLY_SERVER', false)) || Rails.env.development?
+      resource '*', headers: :any, methods: :any, expose: %w[access-token client uid expiry]
+    end
+  end
+end
+
+################################################
+######### Action Cable Related Config ##########
+################################################
+
+# Mount Action Cable outside main process or domain
+# Rails.application.config.action_cable.mount_path = nil
+# Rails.application.config.action_cable.url = 'wss://example.com/cable'
+# Rails.application.config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
+
+# To Enable connecting to the API channel public APIs
+# ref : https://medium.com/@emikaijuin/connecting-to-action-cable-without-rails-d39a8aaa52d5
+Rails.application.config.action_cable.disable_request_forgery_protection = true