plugins/clnrest: Update Websocket server to dynamically add CORS settings

Changelog-Added: New configurable Cross-Origin-Resource-Sharing(CSP) header for clnrest
2025-02-22 14:42:40 +01:00 · 2023-09-12 12:03:51 -07:00 · 2023-09-12 12:03:51 -07:00 · eca3a33e69
commit eca3a33e69
parent f0edc878e6
2 changed files with 22 additions and 3 deletions
--- a/plugins/clnrest/clnrest.py
+++ b/plugins/clnrest/clnrest.py
@ -3,6 +3,8 @@
 try:
    import sys
    import os
+    import re
+    import ssl
    import time
    import multiprocessing
    from gunicorn import glogging  # noqa: F401
@ -30,9 +32,25 @@ except ModuleNotFoundError as err:

 multiprocessing.set_start_method('fork')

+
+def check_origin(origin):
+    from utilities.shared import REST_CORS_ORIGINS
+    is_whitelisted = False
+    if REST_CORS_ORIGINS[0] == "*":
+        is_whitelisted = True
+    else:
+        for whitelisted_origin in REST_CORS_ORIGINS:
+            try:
+                does_match = bool(re.compile(whitelisted_origin).match(origin))
+                is_whitelisted = is_whitelisted or does_match
+            except Exception as err:
+                plugin.log(f"Error from rest-cors-origin {whitelisted_origin} match with {origin}: {err}", "info")
+    return is_whitelisted
+
+
 jobs = {}
 app = Flask(__name__)
-socketio = SocketIO(app, async_mode="gevent", cors_allowed_origins="*")
+socketio = SocketIO(app, async_mode="gevent", cors_allowed_origins=check_origin)
 msgq = Queue()


@ -82,7 +100,7 @@ def ws_connect():
 def create_app():
    from utilities.shared import REST_CORS_ORIGINS
    global app
-    app.config['SECRET_KEY'] = os.urandom(24).hex()
+    app.config["SECRET_KEY"] = os.urandom(24).hex()
    authorizations = {
        "rune": {"type": "apiKey", "in": "header", "name": "Rune"}
    }
@ -124,6 +142,7 @@ def set_application_options(plugin):
            "loglevel": "warning",
            "certfile": f"{CERTS_PATH}/client.pem",
            "keyfile": f"{CERTS_PATH}/client-key.pem",
+            "ssl_version": ssl.PROTOCOL_TLSv1_2
        }
    return options

--- a/plugins/clnrest/utilities/rpc_routes.py
+++ b/plugins/clnrest/utilities/rpc_routes.py
@ -44,7 +44,7 @@ class RpcMethodResource(Resource):
                raise Exception(is_valid_rune)

        except Exception as err:
-            return json5.loads(str(err)), 403
+            return json5.loads(str(err)), 401

        try:
            if request.is_json: