cmd: Require explicit CORS enabling (#42)

Signed-off-by: aeneasr <[email protected]>

UPGRADE.md

@@ -4,4 +4,9 @@ The intent of this document is to make migration of breaking changes as easy as
 breaking changes might be included here. Please check the [CHANGELOG.md](./CHANGELOG.md) for a full list of changes
 before finalizing the upgrade process.
 
-## 1.0.0-rc.1
+## 1.0.0-rc.1
+
+### CORS is disabled by default
+
+A new environment variable `CORS_ENABLED` was introduced. It sets whether CORS is enabled ("true") or not ("false")".
+Default is disabled.

cmd/serve.go

@@ -96,6 +96,9 @@ AUTHENTICATORS
 
 CORS CONTROLS
 ==============
+- CORS_ENABLED: Switch CORS support on (true) or off (false). Default is off (false).
+	Example: CORS_ENABLED=true
+
 - CORS_ALLOWED_ORIGINS: A list of origins (comma separated values) a cross-domain request can be executed from.
 	If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
 	to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality.

cmd/server/serve.go

@@ -108,7 +108,12 @@ func RunServe(
 
 		n := negroni.New()
 		n.Use(negronilogrus.NewMiddlewareFromLogger(logger, "keto"))
-		corsHandler := cors.New(corsx.ParseOptions()).Handler(n)
+
+		var c http.Handler = n
+		if viper.GetString("CORS_ENABLED") == "true" {
+			logger.Info("Enabled CORS")
+			c = cors.New(corsx.ParseOptions()).Handler(n)
+		}
 
 		if ok, _ := cmd.Flags().GetBool("disable-telemetry"); !ok && viper.GetString("DATABASE_URL") != "memory" {
 			logger.Println("Transmission of telemetry data is enabled, to learn more go to: https://www.ory.sh/docs/guides/latest/telemetry/")
@@ -137,7 +142,7 @@ func RunServe(
 		address := fmt.Sprintf("%s:%s", viper.GetString("HOST"), viper.GetString("PORT"))
 		var srv = graceful.WithDefaults(&http.Server{
 			Addr:    address,
-			Handler: corsHandler,
+			Handler: c,
 		})
 
 		if err := graceful.Graceful(func() error {