fix(cors): split CORS_ORIGIN comma-list into per-origin registrations #46

Merged

YousifShkara merged 1 commit from fix/cors-allowed-origins-list into main

2026-06-03 03:24:13 +02:00

YousifShkara commented

2026-06-03 03:24:02 +02:00

Owner

The CorsLayer wiring assumed CORS_ORIGIN was a single absolute URL:

let cors_origin = config.cors_origin.clone(); // entire "https://a8n.systems,https://msp.a8n.systems,..." string
.allowed_origin(&cors_origin) // never matches a real Origin header
.split("://").nth(1).unwrap_or("") // yields "a8n.systems,https" on a comma-list

Once the bunyip-as-OP cutover landed three browser RPs (bunyip-web, mokosh-apps,
drillmark), the comma-list silently broke CORS for every cross-origin browser
hit to bunyip-api. The SPA's POST to /oauth2/token surfaced as a TypeError:
Failed to fetch on the /auth/callback page because the preflight had no
matching allowed origin.

Parse CORS_ORIGIN as comma-separated, register each entry via
cors.allowed_origin(o) in turn. Switch the subdomain-fallback domain derivation
to BUNYIP_WEB_ORIGIN (which is always a single URL) so the closure isn't fed
a comma-list either.

The CorsLayer wiring assumed CORS_ORIGIN was a single absolute URL: let cors_origin = config.cors_origin.clone(); // entire "https://a8n.systems,https://msp.a8n.systems,..." string .allowed_origin(&cors_origin) // never matches a real Origin header .split("://").nth(1).unwrap_or("") // yields "a8n.systems,https" on a comma-list Once the bunyip-as-OP cutover landed three browser RPs (bunyip-web, mokosh-apps, drillmark), the comma-list silently broke CORS for every cross-origin browser hit to bunyip-api. The SPA's POST to /oauth2/token surfaced as a TypeError: Failed to fetch on the /auth/callback page because the preflight had no matching allowed origin. Parse CORS_ORIGIN as comma-separated, register each entry via cors.allowed_origin(o) in turn. Switch the subdomain-fallback domain derivation to BUNYIP_WEB_ORIGIN (which is always a single URL) so the closure isn't fed a comma-list either.

YousifShkara self-assigned this

2026-06-03 03:24:02 +02:00

YousifShkara added 1 commit

2026-06-03 03:24:02 +02:00

fix(cors): split CORS_ORIGIN comma-list into per-origin registrations

Create release / Create release from merged PR (pull_request) Has been skipped

Details

Check / fmt / clippy / build / test (pull_request) Successful in 1m8s

Details

66e9934406

The CorsLayer wiring assumed CORS_ORIGIN was a single absolute URL:

  let cors_origin = config.cors_origin.clone();         // entire "https://a8n.systems,https://msp.a8n.systems,..." string
  .allowed_origin(&cors_origin)                          // never matches a real Origin header
  .split("://").nth(1).unwrap_or("")                    // yields "a8n.systems,https" on a comma-list

Once the bunyip-as-OP cutover landed three browser RPs (bunyip-web, mokosh-apps,
drillmark), the comma-list silently broke CORS for every cross-origin browser
hit to bunyip-api. The SPA's POST to /oauth2/token surfaced as a TypeError:
Failed to fetch on the /auth/callback page because the preflight had no
matching allowed origin.

Parse CORS_ORIGIN as comma-separated, register each entry via
cors.allowed_origin(o) in turn. Switch the subdomain-fallback domain derivation
to BUNYIP_WEB_ORIGIN (which is always a single URL) so the closure isn't fed
a comma-list either.

YousifShkara merged commit cae06a4a3d into main

2026-06-03 03:24:13 +02:00

YousifShkara deleted branch fix/cors-allowed-origins-list

2026-06-03 03:24:13 +02:00

YousifShkara referenced this pull request from a commit

2026-06-03 03:24:14 +02:00

Merge pull request 'fix(cors): split CORS_ORIGIN comma-list into per-origin registrations' (#46) from fix/cors-allowed-origins-list into main