Hello,

I am looking for a way to update the list of allowed origins after everything is started

router := gin.Default()
CORSConfig := cors.DefaultConfig()
CORSConfig.AllowOrigins = []string{"example.com"} // INITIAL DEFINITION
router.Use(cors.New(CORSConfig))
// .. add /api/routes here ..
router.Run()

How could I add allowed origins with a call to my API? Is that possible?

Thanks!

Comment From: syssam

https://github.com/gin-contrib/cors

Comment From: adriendomoison

@syssam Yes, that's what I am using, but it is not possible to do that with this package...

Comment From: syssam

you mean error? just simple to change CORSConfig.AllowOrigins = []string{"http://example.com", "https://example.com"}

Comment From: syssam

https://github.com/gin-contrib/cors/issues/29

Comment From: adriendomoison

I'm so sorry I'm not clear @syssam thank you for your time!

Here is a more descriptive code of what I would like to achieve.

func main() {
  router := gin.Default()
  CORSConfig := cors.DefaultConfig()
  CORSConfig.AllowOrigins = []string{"example.com"} // INITIAL DEFINITION
  router.Use(cors.New(CORSConfig))
  registerRoutes(router)
  router.Run()
}

func registerRoutes(router gin.Engine) {
  router.POST("/api/register-origin", registerNewOrigin)
}

type Origin struct {
  OriginUrl string `json:"origin_url"`
}

func registerNewOrigin(c *gin.Context) {
  origin := Origin{}
  c.BindJSON(&origin)
  // add here 'origin.OriginUrl' to CORSConfig.AllowOrigins
}

POST api.example.com/api/register-origin
{
  "origin_url": "anotherdomain.com" 
}

The goal is to be able to add Allowed Origins on the fly without restarting the API

Comment From: syssam

um... You need to add some logic on cors, just simple fork the cors and add some code. Because the origin is dynamic, but cors does not support.

Comment From: thinkerou

without restarting the API @adriendomoison hi, what's mean?

Comment From: adriendomoison

@syssam Oh okay thanks :/ @thinkerou Hi, what I mean by that is the allowed origins are loadable on start only, with the current behavior. It is not updatable after gin router is started. The only way is to add the new origin to the code, a database or the environment and then restart the API to reload the list of allowed origins :)

Comment From: syssam

@adriendomoison you can write on AllowOriginFunc

Comment From: jub0bs

@adriendomoison I'd be very interested to hear more about your use case. Why can you not change the CORS configuration and restart the server? Since CORS relaxes browser security, wouldn't you want changes to your CORS configuration to be subject to review anyway?

Comment From: adriendomoison

@jub0bs Imagine you want to create a small paid API.

Scenario:

You are offering an API with a database containing a century's worth of wheat price data. Users subscribe for $5/month and receive an API Key for authentication. A potential client, John from bigCorp.com, is interested in accessing the API.

Challenge:

  • Traditionally, adding CORS support for new clients could require server reconfiguration and restarts, especially to handle cross-origin requests safely.
  • It's impractical to restart the server every time a new client signs up (for example, John will call the API from the origin api.bigCorp.com).

Solution: Dynamic CORS Configuration:

  • Introduce a new route, /update-cors-config, in the API.
  • This route dynamically retrieves a list of all authorized domains from the database.
  • It then updates the CORS configuration to include these domains as authorized sources.

Process:

  • Client Registration: When a new user registers and pays, they provide the domain name of their server.
  • Database Update: This domain is added to the database of authorized origins.
  • Dynamic CORS Update: The /update-cors-config route is called on every new domain added, fetches the updated list of domains, and applies it to the CORS configuration.

Benefits:

No Server Restart: Eliminates the need for server restarts when adding new clients. Automated and Secure: Streamlines the process while maintaining security, as only paid users' domains are added. Scalable: Easily handles an increasing number of clients without manual intervention for each CORS update.

I do believe that AllowOriginFunc solved this issue!

Comment From: jub0bs

@adriendomoison Thanks! I appreciate your insight and the time you've spent writing your reply. FWIW, here's one counterargument I can offer.