feat(config): add homepage URL and CORS allowed origins support

rithulkamesh · rithulkamesh · commit e20a6ee0def2 · 2026-03-19T14:27:04.000+05:30
- Introduced `HOMEPAGE_URL` and `CORS_ALLOWED_ORIGINS` environment variables to enhance CORS configuration.
- Updated `docker-compose.prod.yml` to include new environment variables.
- Modified CORS middleware in `main.go` to utilize the new homepage URL and allowed origins.
- Adjusted configuration loading in `config.go` to parse the new environment variables.
- Enhanced unit tests to validate the new configuration options.
diff --git a/SECURITY.md b/SECURITY.md
@@ -47,7 +47,7 @@ The registry supports three authentication methods:
 
 ### CORS
 
-CORS is restricted to an explicit origin allowlist derived from `BASE_URL` and `FRONTEND_URL` configuration. Credentials are only sent for matching origins.
+CORS is restricted to an explicit origin allowlist derived from `BASE_URL`, `FRONTEND_URL`, `HOMEPAGE_URL`, and optional `CORS_ALLOWED_ORIGINS` configuration. Credentials are only sent for matching origins.
 
 ### Rate Limiting
 
diff --git a/api/cmd/registry/main.go b/api/cmd/registry/main.go
@@ -77,7 +77,14 @@ func main() {
 	r.Use(chimiddleware.RealIP)
 	r.Use(middleware.Logger(log.Logger))
 	r.Use(middleware.Recover)
-	r.Use(middleware.CORSWithAllowlist(cfg.BaseURL, cfg.FrontendURL))
+	corsOrigins := append([]string{
+		cfg.BaseURL,
+		cfg.FrontendURL,
+		cfg.HomepageURL,
+		"https://www.devsper.com",
+		"https://devsper.com"
+	}, cfg.CORSAllowedOrigins...)
+	r.Use(middleware.CORSWithAllowlist(corsOrigins...))
 
 	// Public
 	r.Get("/health", health.Liveness)
diff --git a/api/internal/config/config.go b/api/internal/config/config.go
@@ -5,6 +5,7 @@ import (
 	"net/url"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 )
 
@@ -51,6 +52,10 @@ type Config struct {
 	// App
 	BaseURL     string // API public URL (for OAuth redirect_uri)
 	FrontendURL string // Where to redirect after OAuth login (defaults to BaseURL if empty)
+	HomepageURL string // Homepage URL for CORS and other links
+	// Additional CORS origins (comma-separated env var CORS_ALLOWED_ORIGINS).
+	// Useful for preview/staging homepage deployments.
+	CORSAllowedOrigins []string
 	Port        string
 
 	// ECR (Docker images)
@@ -101,6 +106,8 @@ func Load() (*Config, error) {
 		SMTPPassword:        getEnv("SMTP_PASSWORD", ""),
 		BaseURL:             getEnv("BASE_URL", "https://registry.devsper.com"),
 		FrontendURL:         getEnv("FRONTEND_URL", ""), // if empty, redirects use BaseURL
+		HomepageURL:         getEnv("HOMEPAGE_URL", "https://devsper.com"), // default homepage
+		CORSAllowedOrigins:  parseCSV(getEnv("CORS_ALLOWED_ORIGINS", "")),
 		Port:                getEnv("PORT", "8080"),
 		ECRRegistry:         getEnv("ECR_REGISTRY", ""),
 		AdminSecret:         getEnv("ADMIN_SECRET", ""),
@@ -182,3 +189,19 @@ func parseDuration(s string, def time.Duration) time.Duration {
 	}
 	return d
 }
+
+func parseCSV(s string) []string {
+	if s == "" {
+		return nil
+	}
+	parts := strings.Split(s, ",")
+	out := make([]string, 0, len(parts))
+	for _, p := range parts {
+		v := strings.TrimSpace(p)
+		if v == "" {
+			continue
+		}
+		out = append(out, v)
+	}
+	return out
+}
diff --git a/api/internal/config/config_test.go b/api/internal/config/config_test.go
@@ -128,7 +128,7 @@ func clearConfigEnv(t *testing.T) {
 		"GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET",
 		"SES_REGION", "SES_FROM_ADDRESS", "SES_REPLY_TO",
 		"SMTP_HOST", "SMTP_PORT", "SMTP_FROM", "SMTP_USER", "SMTP_PASSWORD",
-		"BASE_URL", "FRONTEND_URL", "PORT",
+		"BASE_URL", "FRONTEND_URL", "HOMEPAGE_URL", "CORS_ALLOWED_ORIGINS", "PORT",
 		"ECR_REGISTRY", "ADMIN_SECRET", "INTERNAL_SECRET",
 		"RATE_LIMIT_RPS", "MAX_UPLOAD_SIZE_MB", "VERIFICATION_WORKERS",
 		"ENV",
@@ -188,6 +188,8 @@ func TestLoad_CustomEnv(t *testing.T) {
 	t.Setenv("JWT_SECRET", "custom-secret")
 	t.Setenv("PORT", "9090")
 	t.Setenv("BASE_URL", "https://custom.example.com")
+	t.Setenv("HOMEPAGE_URL", "https://home.example.com")
+	t.Setenv("CORS_ALLOWED_ORIGINS", "https://preview-1.example.com, https://preview-2.example.com")
 	t.Setenv("MAX_UPLOAD_SIZE_MB", "500")
 	t.Setenv("RATE_LIMIT_RPS", "50")
 	t.Setenv("ENV", "production")
@@ -214,6 +216,18 @@ func TestLoad_CustomEnv(t *testing.T) {
 	if cfg.BaseURL != "https://custom.example.com" {
 		t.Errorf("BaseURL = %q, want custom value", cfg.BaseURL)
 	}
+	if cfg.HomepageURL != "https://home.example.com" {
+		t.Errorf("HomepageURL = %q, want custom value", cfg.HomepageURL)
+	}
+	if len(cfg.CORSAllowedOrigins) != 2 {
+		t.Fatalf("CORSAllowedOrigins len = %d, want 2", len(cfg.CORSAllowedOrigins))
+	}
+	if cfg.CORSAllowedOrigins[0] != "https://preview-1.example.com" {
+		t.Errorf("CORSAllowedOrigins[0] = %q, want first preview origin", cfg.CORSAllowedOrigins[0])
+	}
+	if cfg.CORSAllowedOrigins[1] != "https://preview-2.example.com" {
+		t.Errorf("CORSAllowedOrigins[1] = %q, want second preview origin", cfg.CORSAllowedOrigins[1])
+	}
 	if cfg.MaxUploadSizeMB != 500 {
 		t.Errorf("MaxUploadSizeMB = %d, want 500", cfg.MaxUploadSizeMB)
 	}
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
@@ -22,6 +22,8 @@ services:
     environment:
       - DATABASE_URL=postgres://${POSTGRES_USER:-registry}:${POSTGRES_PASSWORD:-password}@postgres:5432/${POSTGRES_DB:-registry}?sslmode=disable
       - BASE_URL=${BASE_URL:-https://registry.devsper.com}
+      - HOMEPAGE_URL=${HOMEPAGE_URL:-https://devsper.com}
+      - CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-}
       - JWT_SECRET=${JWT_SECRET}
       - INTERNAL_SECRET=${INTERNAL_SECRET}
       - PORT=8080
