Merge pull request #40 from MITLibraries/engx-266-cors

Add rack-cors and configuration

Gemfile

@@ -41,6 +41,8 @@ gem 'stimulus-rails'
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: %i[windows jruby]
 
+gem 'rack-cors'
+
 # Use Redis adapter to run Action Cable in production
 # gem "redis", ">= 4.0.1"
 

Gemfile.lock

@@ -201,6 +201,8 @@ GEM
       nio4r (~> 2.0)
     racc (1.7.3)
     rack (3.0.10)
+    rack-cors (2.0.2)
+      rack (>= 2.0.0)
     rack-session (2.0.0)
       rack (>= 3.0.0)
     rack-test (2.1.0)
@@ -347,6 +349,7 @@ DEPENDENCIES
   mitlibraries-theme!
   pg
   puma (>= 5.0)
+  rack-cors
   rails (~> 7.1.2)
   rubocop
   rubocop-capybara

README.md

@@ -6,6 +6,8 @@
 
 `LINKRESOLVER_BASEURL`: base url for our link resolver. `https://mit.primo.exlibrisgroup.com/discovery/openurl?institution=01MIT_INST&rfr_id=info:sid/mit.tacos.api&vid=01MIT_INST:MIT` is probably the best value unless you are doing something interesting.
 
+`ORIGINS`: comma-separated list of domains allowed to connect to (and thus query or contribute to) the application. Be sure to specify the port number if a connecting application is not using the standard ports (this applies mostly to local development). If not defined, no external connections will be permitted.
+
 `UNPAYWALL_EMAIL`: email address to include in API call as required in their [documentation](https://unpaywall.org/products/api). Your personal email is appropriate for development. Deployed and for tests, use the timdex moira list email.
 
 ### Optional

config/initializers/cors.rb

@@ -0,0 +1,10 @@
+# Be sure to restart your server when you modify this file.
+
+# config/initializers/cors.rb
+
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins ENV.fetch('ORIGINS', '').split(',').map{|t| t.strip}
+    resource '/graphql', headers: :any, methods: [:post]
+  end
+end