feat: add configurable CORS support for REST API

bburda · bburda · commit 7a63652ca549 · 2025-11-30T15:08:21.000Z
Add CORS configuration via ROS 2 parameters to allow browser-based
clients (web UIs) to call the Gateway REST API without code changes.

Configuration options (in gateway_params.yaml):
- cors.allowed_origins: list of allowed origins (empty = allow all)
- cors.allowed_methods: HTTP methods to allow
- cors.allowed_headers: headers to allow in requests
- cors.allow_credentials: enable credentials support
- cors.max_age_seconds: preflight cache duration

CORS is disabled when no configuration is provided. Handles preflight
OPTIONS requests with 204 No Content response.
diff --git a/src/ros2_medkit_gateway/config/gateway_params.yaml b/src/ros2_medkit_gateway/config/gateway_params.yaml
@@ -25,6 +25,32 @@ ros2_medkit_gateway:
     # Valid range: 100-60000 (0.1s to 60s)
     refresh_interval_ms: 2000
 
+    # CORS Configuration
+    # Cross-Origin Resource Sharing settings for browser-based clients
+    # If cors section is missing or empty, CORS handling is disabled
+    cors:
+      # List of allowed origins
+      # Examples: ["http://localhost:5173", "https://example.com"]
+      # Use ["*"] to allow all origins (not recommended for production)
+      # Empty list with other settings = allow all origins
+      allowed_origins: []
+
+      # Allowed HTTP methods for CORS requests
+      # Default: ["GET", "OPTIONS"]
+      allowed_methods: ["GET", "OPTIONS"]
+
+      # Allowed headers in CORS requests
+      # Use ["*"] to allow all headers
+      allowed_headers: ["Content-Type", "Accept"]
+
+      # Whether to allow credentials (cookies, authorization headers)
+      # When true, allowed_origins cannot be ["*"]
+      allow_credentials: false
+
+      # How long (in seconds) browsers should cache preflight response
+      # Default: 86400 (24 hours)
+      max_age_seconds: 86400
+
     # Data Access Configuration
     # Maximum number of concurrent topic samples when fetching component data
     # Higher values improve response time but use more system resources
diff --git a/src/ros2_medkit_gateway/include/ros2_medkit_gateway/config.hpp b/src/ros2_medkit_gateway/include/ros2_medkit_gateway/config.hpp
@@ -0,0 +1,34 @@
+// Copyright 2025 bburda
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+namespace ros2_medkit_gateway {
+
+/**
+ * @brief CORS (Cross-Origin Resource Sharing) configuration settings
+ */
+struct CorsConfig {
+    bool enabled{false};
+    std::vector<std::string> allowed_origins;
+    std::vector<std::string> allowed_methods;
+    std::vector<std::string> allowed_headers;
+    bool allow_credentials{false};
+    int max_age_seconds{86400};
+};
+
+}  // namespace ros2_medkit_gateway
diff --git a/src/ros2_medkit_gateway/include/ros2_medkit_gateway/gateway_node.hpp b/src/ros2_medkit_gateway/include/ros2_medkit_gateway/gateway_node.hpp
@@ -20,9 +20,11 @@
 #include <mutex>
 #include <string>
 #include <thread>
+#include <vector>
 
 #include <rclcpp/rclcpp.hpp>
 
+#include "ros2_medkit_gateway/config.hpp"
 #include "ros2_medkit_gateway/models.hpp"
 #include "ros2_medkit_gateway/discovery_manager.hpp"
 #include "ros2_medkit_gateway/data_access_manager.hpp"
@@ -55,6 +57,7 @@ class GatewayNode : public rclcpp::Node {
     std::string server_host_;
     int server_port_;
     int refresh_interval_ms_;
+    CorsConfig cors_config_;
 
     // Managers
     std::unique_ptr<DiscoveryManager> discovery_mgr_;
diff --git a/src/ros2_medkit_gateway/include/ros2_medkit_gateway/rest_server.hpp b/src/ros2_medkit_gateway/include/ros2_medkit_gateway/rest_server.hpp
@@ -19,16 +19,23 @@
 #include <expected>
 #include <memory>
 #include <string>
+#include <vector>
 
 #include <nlohmann/json.hpp>
 
+#include "ros2_medkit_gateway/config.hpp"
+
 namespace ros2_medkit_gateway {
 
 class GatewayNode;
 
 class RESTServer {
 public:
-    RESTServer(GatewayNode* node, const std::string& host, int port);
+    RESTServer(
+        GatewayNode* node,
+        const std::string& host,
+        int port,
+        const CorsConfig& cors_config = {});
     ~RESTServer();
 
     void start();
@@ -49,10 +56,13 @@ class RESTServer {
 
     // Helper methods
     std::expected<void, std::string> validate_entity_id(const std::string& entity_id) const;
+    void set_cors_headers(httplib::Response& res, const std::string& origin) const;
+    bool is_origin_allowed(const std::string& origin) const;
 
     GatewayNode* node_;
     std::string host_;
     int port_;
+    CorsConfig cors_config_;
     std::unique_ptr<httplib::Server> server_;
 };
 
diff --git a/src/ros2_medkit_gateway/src/gateway_node.cpp b/src/ros2_medkit_gateway/src/gateway_node.cpp
@@ -28,12 +28,30 @@ GatewayNode::GatewayNode()
     declare_parameter("server.host", "127.0.0.1");
     declare_parameter("server.port", 8080);
     declare_parameter("refresh_interval_ms", 2000);
+    declare_parameter("cors.allowed_origins", std::vector<std::string>{});
+    declare_parameter("cors.allowed_methods", std::vector<std::string>{"GET", "OPTIONS"});
+    declare_parameter("cors.allowed_headers", std::vector<std::string>{"Content-Type", "Accept"});
+    declare_parameter("cors.allow_credentials", false);
+    declare_parameter("cors.max_age_seconds", 86400);
 
     // Get parameter values
     server_host_ = get_parameter("server.host").as_string();
     server_port_ = get_parameter("server.port").as_int();
     refresh_interval_ms_ = get_parameter("refresh_interval_ms").as_int();
 
+    // Get CORS configuration
+    cors_config_.allowed_origins = get_parameter("cors.allowed_origins").as_string_array();
+    cors_config_.allowed_methods = get_parameter("cors.allowed_methods").as_string_array();
+    cors_config_.allowed_headers = get_parameter("cors.allowed_headers").as_string_array();
+    cors_config_.allow_credentials = get_parameter("cors.allow_credentials").as_bool();
+    cors_config_.max_age_seconds = get_parameter("cors.max_age_seconds").as_int();
+
+    // CORS is enabled if any origins are configured or if methods/headers are non-default
+    // Treat missing/empty config as disabled for security
+    cors_config_.enabled = !cors_config_.allowed_origins.empty() ||
+                           !cors_config_.allowed_methods.empty() ||
+                           !cors_config_.allowed_headers.empty();
+
     // Validate port range
     if (server_port_ < 1024 || server_port_ > 65535) {
         RCLCPP_ERROR(
@@ -77,6 +95,32 @@ GatewayNode::GatewayNode()
         refresh_interval_ms_
     );
 
+    if (cors_config_.enabled) {
+        std::string origins_str;
+        for (const auto& origin : cors_config_.allowed_origins) {
+            if (!origins_str.empty()) origins_str += ", ";
+            origins_str += origin;
+        }
+        if (origins_str.empty()) origins_str = "* (all)";
+
+        std::string methods_str;
+        for (const auto& method : cors_config_.allowed_methods) {
+            if (!methods_str.empty()) methods_str += ", ";
+            methods_str += method;
+        }
+
+        RCLCPP_INFO(
+            get_logger(),
+            "CORS enabled - origins: [%s], methods: [%s], credentials: %s, max_age: %ds",
+            origins_str.c_str(),
+            methods_str.c_str(),
+            cors_config_.allow_credentials ? "true" : "false",
+            cors_config_.max_age_seconds
+        );
+    } else {
+        RCLCPP_INFO(get_logger(), "CORS: disabled (no configuration provided)");
+    }
+
     // Initialize managers
     discovery_mgr_ = std::make_unique<DiscoveryManager>(this);
     data_access_mgr_ = std::make_unique<DataAccessManager>(this);
@@ -90,8 +134,9 @@ GatewayNode::GatewayNode()
         std::bind(&GatewayNode::refresh_cache, this)
     );
 
-    // Start REST server with configured host and port
-    rest_server_ = std::make_unique<RESTServer>(this, server_host_, server_port_);
+    // Start REST server with configured host, port and CORS
+    rest_server_ = std::make_unique<RESTServer>(
+        this, server_host_, server_port_, cors_config_);
     start_rest_server();
 
     RCLCPP_INFO(
diff --git a/src/ros2_medkit_gateway/src/rest_server.cpp b/src/ros2_medkit_gateway/src/rest_server.cpp
@@ -27,10 +27,33 @@ using httplib::StatusCode;
 
 namespace ros2_medkit_gateway {
 
-RESTServer::RESTServer(GatewayNode* node, const std::string& host, int port)
-    : node_(node), host_(host), port_(port)
+RESTServer::RESTServer(
+    GatewayNode* node,
+    const std::string& host,
+    int port,
+    const CorsConfig& cors_config)
+    : node_(node), host_(host), port_(port), cors_config_(cors_config)
 {
     server_ = std::make_unique<httplib::Server>();
+
+    // Set up pre-routing handler for CORS (only if enabled)
+    if (cors_config_.enabled) {
+        server_->set_pre_routing_handler(
+            [this](const httplib::Request& req, httplib::Response& res) {
+                std::string origin = req.get_header_value("Origin");
+                if (!origin.empty() && is_origin_allowed(origin)) {
+                    set_cors_headers(res, origin);
+                }
+
+                // Handle preflight OPTIONS requests
+                if (req.method == "OPTIONS") {
+                    res.status = 204;  // No Content
+                    return httplib::Server::HandlerResponse::Handled;
+                }
+                return httplib::Server::HandlerResponse::Unhandled;
+            });
+    }
+
     setup_routes();
 }
 
@@ -546,4 +569,51 @@ void RESTServer::handle_component_topic_data(const httplib::Request& req, httpli
     }
 }
 
+void RESTServer::set_cors_headers(httplib::Response& res, const std::string& origin) const {
+    res.set_header("Access-Control-Allow-Origin", origin);
+
+    // Build methods string from config
+    std::string methods_str;
+    for (const auto& method : cors_config_.allowed_methods) {
+        if (!methods_str.empty()) methods_str += ", ";
+        methods_str += method;
+    }
+    if (!methods_str.empty()) {
+        res.set_header("Access-Control-Allow-Methods", methods_str);
+    }
+
+    // Build headers string from config
+    std::string headers_str;
+    for (const auto& header : cors_config_.allowed_headers) {
+        if (!headers_str.empty()) headers_str += ", ";
+        headers_str += header;
+    }
+    if (!headers_str.empty()) {
+        res.set_header("Access-Control-Allow-Headers", headers_str);
+    }
+
+    // Set credentials header if enabled
+    if (cors_config_.allow_credentials) {
+        res.set_header("Access-Control-Allow-Credentials", "true");
+    }
+
+    // Set max age
+    res.set_header("Access-Control-Max-Age", std::to_string(cors_config_.max_age_seconds));
+}
+
+bool RESTServer::is_origin_allowed(const std::string& origin) const {
+    // If no origins configured, allow all (for development)
+    if (cors_config_.allowed_origins.empty()) {
+        return true;
+    }
+
+    // Check if origin matches any allowed origin
+    for (const auto& allowed : cors_config_.allowed_origins) {
+        if (allowed == "*" || allowed == origin) {
+            return true;
+        }
+    }
+    return false;
+}
+
 }  // namespace ros2_medkit_gateway
