Add allowed origin env (#405)

packages/brain/src/index.ts

@@ -60,7 +60,8 @@ const { uiServer, launchpadServer, brainApiServer } = getServers({
   validatorApi,
   beaconchainApi,
   brainDb,
-  reloadValidatorsCronTask
+  reloadValidatorsCronTask,
+  allowedOriginsFromEnv: config.apis.cors
 });
 
 // Graceful shutdown

packages/brain/src/modules/apiServers/brain/config.ts

@@ -1,3 +1 @@
-export const corsOptions = {
-  origin: ["http://csm-lido.dappnode", "http://csm-lido.testnet.dappnode"] // TODO: update with DAppNodePackage-lido-csm.dnp.dappnode.eth domains
-};
+export const allowedOrigins = ["http://ui.lido-csm-holesky.dappnode", "http://ui.lido-csm-mainnet.dappnode"];

packages/brain/src/modules/apiServers/brain/startBrainApi.ts

@@ -3,14 +3,20 @@ import cors from "cors";
 import logger from "../../logger/index.js";
 import http from "node:http";
 import { params } from "../../../params.js";
-import { corsOptions } from "./config.js";
+import { allowedOrigins } from "./config.js";
 import { createBrainValidatorsRouter } from "./routes/index.js";
 import { BrainDataBase } from "../../db/index.js";
 
-export function startBrainApi({ brainDb }: { brainDb: BrainDataBase }): http.Server {
+export function startBrainApi({
+  brainDb,
+  allowedOriginsFromEnv
+}: {
+  brainDb: BrainDataBase;
+  allowedOriginsFromEnv: string[] | null;
+}): http.Server {
   const app = express();
   app.use(express.json());
-  app.use(cors(corsOptions));
+  app.use(cors({ origin: allowedOriginsFromEnv ?? allowedOrigins }));
 
   app.use(createBrainValidatorsRouter({ brainDb }));
 

packages/brain/src/modules/apiServers/index.ts

@@ -20,7 +20,8 @@ export const getServers = ({
   validatorApi,
   beaconchainApi,
   brainDb,
-  reloadValidatorsCronTask
+  reloadValidatorsCronTask,
+  allowedOriginsFromEnv
 }: {
   brainConfig: BrainConfig;
   uiBuildPath: string;
@@ -31,6 +32,7 @@ export const getServers = ({
   beaconchainApi: BeaconchainApi;
   brainDb: BrainDataBase;
   reloadValidatorsCronTask: CronJob;
+  allowedOriginsFromEnv: string[] | null;
 }): {
   uiServer: http.Server;
   launchpadServer: http.Server;
@@ -46,7 +48,8 @@ export const getServers = ({
       validatorApi,
       blockExplorerApi,
       beaconchainApi,
-      postgresClient
+      postgresClient,
+      allowedOriginsFromEnv
     }),
     launchpadServer: startLaunchpadApi({
       brainDb,
@@ -55,10 +58,12 @@ export const getServers = ({
       beaconchainApi,
       reloadValidatorsCronTask,
       network: brainConfig.chain.network,
-      signerUrl: brainConfig.apis.signerUrl
+      signerUrl: brainConfig.apis.signerUrl,
+      allowedOriginsFromEnv
     }),
     brainApiServer: startBrainApi({
-      brainDb
+      brainDb,
+      allowedOriginsFromEnv
     })
   };
 };

packages/brain/src/modules/apiServers/launchpad/config.ts

@@ -1,10 +1,8 @@
-export const corsOptions = {
-  origin: [
-    "http://rocketpool-testnet.public.dappnode",
-    "http://rocketpool.dappnode",
-    "http://stader-testnet.dappnode",
-    "http://stader.dappnode",
-    "http://ui.lido-csm-holesky.dappnode",
-    "http://ui.lido-csm-mainnet.dappnode"
-  ]
-};
+export const allowedOrigins = [
+  "http://rocketpool-testnet.public.dappnode",
+  "http://rocketpool.dappnode",
+  "http://stader-testnet.dappnode",
+  "http://stader.dappnode",
+  "http://ui.lido-csm-holesky.dappnode",
+  "http://ui.lido-csm-mainnet.dappnode"
+];

packages/brain/src/modules/apiServers/launchpad/startLaunchpadApi.ts

@@ -3,7 +3,7 @@ import cors from "cors";
 import logger from "../../logger/index.js";
 import http from "node:http";
 import { params } from "../../../params.js";
-import { corsOptions } from "./config.js";
+import { allowedOrigins } from "./config.js";
 import { createKeystoresRouter, createFeeRecipientsRouter } from "./routes/index.js";
 import { CronJob } from "../../cron/cron.js";
 import { BrainDataBase } from "../../db/index.js";
@@ -19,7 +19,8 @@ export function startLaunchpadApi({
   reloadValidatorsCronTask,
   brainDb,
   network,
-  signerUrl
+  signerUrl,
+  allowedOriginsFromEnv
 }: {
   signerApi: Web3SignerApi;
   validatorApi: ValidatorApi;
@@ -28,10 +29,11 @@ export function startLaunchpadApi({
   brainDb: BrainDataBase;
   network: Network;
   signerUrl: string;
+  allowedOriginsFromEnv: string[] | null;
 }): http.Server {
   const app = express();
   app.use(express.json());
-  app.use(cors(corsOptions));
+  app.use(cors({ origin: allowedOriginsFromEnv ?? allowedOrigins }));
 
   app.use(createKeystoresRouter({ reloadValidatorsCronTask, brainDb, network, validatorApi, signerApi, signerUrl }));
   app.use(

packages/brain/src/modules/apiServers/ui/config.ts

@@ -0,0 +1,3 @@
+import { BRAIN_UI_DOMAIN, Network } from "@stakingbrain/common";
+
+export const allowedOrigins = (network: Network) => ["http://my.dappnode", `http://${BRAIN_UI_DOMAIN(network)}`];

packages/brain/src/modules/apiServers/ui/startUiServer.ts

@@ -1,4 +1,4 @@
-import { BRAIN_UI_DOMAIN, Network } from "@stakingbrain/common";
+import { Network } from "@stakingbrain/common";
 import cors from "cors";
 import express from "express";
 import path from "path";
@@ -19,6 +19,7 @@ import {
   ValidatorApi,
   Web3SignerApi
 } from "../../apiClients/index.js";
+import { allowedOrigins } from "./config.js";
 
 // Define the type for the RPC request
 interface RpcRequest {
@@ -38,7 +39,8 @@ export function startUiServer({
   postgresClient,
   uiBuildPath,
   brainConfig,
-  reloadValidatorsCronTask
+  reloadValidatorsCronTask,
+  allowedOriginsFromEnv
 }: {
   brainDb: BrainDataBase;
   blockExplorerApi: BlockExplorerApi;
@@ -49,6 +51,7 @@ export function startUiServer({
   uiBuildPath: string;
   brainConfig: BrainConfig;
   reloadValidatorsCronTask: CronJob;
+  allowedOriginsFromEnv: string[] | null;
 }): http.Server {
   const { network } = brainConfig.chain;
   // create index.html modified with network
@@ -114,10 +117,9 @@ export function startUiServer({
   });
 
   // Express
-  const allowedOrigins = ["http://my.dappnode", `http://${BRAIN_UI_DOMAIN(network)}`];
   app.use(
     cors({
-      origin: allowedOrigins
+      origin: allowedOriginsFromEnv ?? allowedOrigins(network)
     })
   );
   app.use(express.json());

packages/brain/src/modules/config/index.ts

@@ -6,7 +6,7 @@ import { getValidatorToken } from "./getValidatorToken.js";
 import { getTlsCert } from "./getTlsCert.js";
 
 export const brainConfig = (): BrainConfig => {
-  const { network, executionClient, consensusClient, isMevBoostSet } = loadEnvs();
+  const { network, executionClient, consensusClient, isMevBoostSet, cors } = loadEnvs();
 
   // Determine the validator URL based on the consensus client and network.
   // All this logic is needed because Teku has a TLS certificate that points to the old
@@ -44,7 +44,8 @@ export const brainConfig = (): BrainConfig => {
       postgresUrl: getPostgresUrl(network),
       token: getValidatorToken(consensusClient),
       host: network === "mainnet" ? `brain.web3signer.dappnode` : `brain.web3signer-${network}.dappnode`,
-      tlsCert: getTlsCert(consensusClient, network) // To avoid Teku edge case it is necessary to update TLS certificate in both: validator and brain
+      tlsCert: getTlsCert(consensusClient, network), // To avoid Teku edge case it is necessary to update TLS certificate in both: validator and brain
+      cors
     }
   };
 };

packages/brain/src/modules/config/loadEnvs.ts

@@ -5,6 +5,7 @@ export function loadEnvs(): {
   executionClient: ExecutionClient;
   consensusClient: ConsensusClient;
   isMevBoostSet: boolean;
+  cors: string[] | null;
 } {
   const network = getNetwork();
 
@@ -17,7 +18,8 @@ export function loadEnvs(): {
     network: network as Network,
     executionClient,
     consensusClient,
-    isMevBoostSet
+    isMevBoostSet,
+    cors: process.env.CORS ? process.env.CORS.split(",") : null
   };
 }
 

packages/brain/src/modules/config/types.ts

@@ -17,6 +17,7 @@ export interface ApisConfig {
   token: string;
   tlsCert: Buffer | null;
   host: string;
+  cors: string[] | null;
 }
 
 export interface ChainConfig {