:security: cors implemented

[Vimal-Kumar-V]

Summary by CodeRabbit

• New Features

  • Added support for specifying multiple CORS origins using a comma-separated string in the configuration.

• Refactor

  • Updated the Client struct to include a new field env of type Environment for better environmental configuration handling.
  • Modified the Environment struct to include a cors_allowed_origin field for parsing and storing CORS origins.

• Bug Fixes

  • Updated the get_config function in main.rs to initialize Client with corrected arguments.
  • Improved CORS handling in the server module by using Environment::default().cors_allowed_origin.

[coderabbitai]

Walkthrough

The recent update involves refining the CORS (Cross-Origin Resource Sharing) configuration in a server application by removing the Deserialize trait from the Environment struct and introducing a new cors_allowed_origin field. This field is populated with values from the ALLOWED_ORIGINS environment variable, marking a significant shift towards a more dynamic and configurable approach for handling allowed origins in CORS settings.

Changes

File Path	Change Summary
.cargo/config.example.toml	Added ALLOWED_ORIGINS for CORS origins specification in the configuration file.
.cargo/config.local.toml	Added support for multiple CORS origins using a comma-separated string in the configuration.
.../cerium/src/client/mod.rs	Added env field of type Environment, updated new method, and modified storage_client.
.../cerium/src/env.rs	Removed Deserialize, added cors_allowed_origin field, and parsed ALLOWED_ORIGINS.
.../cerium/src/server/mod.rs	Updated CORS settings to use Environment::default().cors_allowed_origin instead of Any.
.../services/api/src/main.rs	Updated get_config function and main function for initializing Client with fewer arguments.

🐇✨
In the realm of code, where changes abound,
A rabbit hopped in, with a soft thumping sound.
"No more Deserialize, no more Any,
Let's parse ALLOWED_ORIGINS, be nimble and canny.
With cors_allowed_origin, we've set the stage,
For a more dynamic web, turning a new page."
🌟🐾

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository from git and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[dagshub]

Join the discussion on DagsHub!

[coderabbitai]

Review Status

Actionable comments generated: 2

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between ef8f2b0 and e0501cb.

Files selected for processing (2)

• crates/libs/cerium/src/env.rs (3 hunks)
• crates/libs/cerium/src/server/mod.rs (3 hunks)

Additional comments: 2

crates/libs/cerium/src/env.rs (2)

• 13-13: The addition of the cors_allowed_origin field to the Environment struct is a significant change. It's crucial to ensure that the type Vec<HeaderValue> is appropriate for storing CORS origins and that it aligns with how these values are used elsewhere in the application.
• 1-7: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [4-13]

The removal of the Deserialize trait from the Environment struct indicates a shift in how environment configurations are handled. Ensure that all configurations previously managed through deserialization are now correctly handled through the environment variables and that this change does not negatively impact the application's configuration flexibility or robustness.

[coderabbitai]

The parsing of the ALLOWED_ORIGINS environment variable into cors_allowed_origin uses unwrap() which could cause the application to panic if the environment variable is not set or if any of the origins cannot be parsed into a HeaderValue. Consider adding error handling or a default value to improve the robustness of this implementation.

- .map(|origin| origin.parse::<HeaderValue>().unwrap()).collect()
+ .map(|origin| origin.parse::<HeaderValue>().expect("Invalid ALLOWED_ORIGINS format")).collect()

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	cors_allowed_origin: env::var("ALLOWED_ORIGINS").unwrap_or("".to_string()).split(',')
	.map(|origin| origin.parse::<HeaderValue>().unwrap()).collect()
	cors_allowed_origin: env::var("ALLOWED_ORIGINS").unwrap_or("".to_string()).split(',')
	.map(|origin| origin.parse::<HeaderValue>().expect("Invalid ALLOWED_ORIGINS format")).collect()

[coderabbitai]

Review Status

Actionable comments generated: 3

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between e0501cb and b7e3d36.

Files selected for processing (6)

• .cargo/config.example.toml (1 hunks)
• .cargo/config.local.toml (1 hunks)
• crates/libs/cerium/src/client/mod.rs (2 hunks)
• crates/libs/cerium/src/env.rs (2 hunks)
• crates/libs/cerium/src/server/mod.rs (3 hunks)
• crates/services/api/src/main.rs (2 hunks)

Files skipped from review as they are similar to previous changes (2)

• crates/libs/cerium/src/env.rs
• crates/libs/cerium/src/server/mod.rs

Additional comments: 3

crates/services/api/src/main.rs (2)

• 28-28: The update to initialize Client with fewer arguments aligns with the changes in the Client struct. This simplification is a good practice, making the code cleaner and more maintainable.
• 44-44: Awaiting the set_router method call is correct and aligns with asynchronous programming practices in Rust. This ensures that the router setup completes before the application starts running.

crates/libs/cerium/src/client/mod.rs (1)

• 20-26: The update to the Client struct and the new method to include and initialize the env field with an optional Environment parameter is a good practice. It enhances configurability and aligns with the objective of managing CORS policies more effectively.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between b7e3d36 and 54448e4.

Files selected for processing (2)

• .cargo/config.example.toml (1 hunks)
• crates/libs/cerium/src/server/mod.rs (3 hunks)

Files skipped from review as they are similar to previous changes (2)

• .cargo/config.example.toml
• crates/libs/cerium/src/server/mod.rs

[itsparser]

/prbot describe

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 54448e4 and 6d59a23.

Files selected for processing (4)

• .cargo/config.example.toml (1 hunks)
• .cargo/config.local.toml (1 hunks)
• crates/libs/cerium/src/env.rs (2 hunks)
• crates/libs/cerium/src/server/mod.rs (2 hunks)

Files skipped from review as they are similar to previous changes (4)

• .cargo/config.example.toml
• .cargo/config.local.toml
• crates/libs/cerium/src/env.rs
• crates/libs/cerium/src/server/mod.rs