cmd: Added cors support to host process

Closes #506

cmd/host.go

@@ -32,6 +32,7 @@ you can also set environments by prepending key value pairs: "KEY=VALUE KEY2=VAL
 All possible controls are listed below. The host process additionally exposes a few flags, which are listed below
 the controls section.
 
+
 CORE CONTROLS
 =============
 
@@ -110,6 +111,7 @@ OAUTH2 CONTROLS
 - SCOPE_STRATEGY: Set this to DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY to enable the deprecated hierarchical scope strategy.
 	This is required if you do not want to migrate to the new wildcard strategy.
 
+
 HTTPS CONTROLS
 ==============
 
@@ -132,6 +134,30 @@ HTTPS CONTROLS
 	Example: HTTPS_TLS_KEY="-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg..."
 
 
+CORS CONTROLS
+==============
+- CORS_ALLOWED_ORIGINS: A list of origins (comma separated values) a cross-domain request can be executed from.
+	If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
+	to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality.
+	Only one wildcard can be used per origin. The default value is *.
+	Example: CORS_ALLOWED_ORIGINS=http://*.domain.com,http://*.domain2.com
+
+- CORS_ALLOWED_METHODS: A list of methods  (comma separated values) the client is allowed to use with cross-domain
+	requests. Default value is simple methods (GET and POST).
+	Example: CORS_ALLOWED_METHODS=POST,GET,PUT
+
+- CORS_ALLOWED_CREDENTIALS: Indicates whether the request can include user credentials like cookies, HTTP authentication
+	or client side SSL certificates. The default is false.
+
+- CORS_DEBUG: Debugging flag adds additional output to debug server side CORS issues.
+
+- CORS_MAX_AGE: Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
+
+- CORS_ALLOWED_HEADERS: A list of non simple headers (comma separated values) the client is allowed to use with cross-domain requests.
+
+- CORS_EXPOSED_HEADERS: Indicates which headers (comma separated values) are safe to expose to the API of a CORS API specification.
+
+
 DEBUG CONTROLS
 ==============
 

cmd/server/handler.go

@@ -21,6 +21,9 @@ import (
 	"net/url"
 	"os"
 
+	"strconv"
+	"strings"
+
 	"github.com/gorilla/context"
 	"github.com/julienschmidt/httprouter"
 	"github.com/meatballhat/negroni-logrus"
@@ -36,10 +39,27 @@ import (
 	"github.com/ory/hydra/warden/group"
 	"github.com/ory/ladon"
 	"github.com/pkg/errors"
+	"github.com/rs/cors"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 	"github.com/urfave/negroni"
 )
 
+func parseCorsOptions() cors.Options {
+	allowCredentials, _ := strconv.ParseBool(viper.GetString("CORS_ALLOWED_CREDENTIALS"))
+	debug, _ := strconv.ParseBool(viper.GetString("CORS_DEBUG"))
+	maxAge, _ := strconv.Atoi(viper.GetString("CORS_MAX_AGE"))
+	return cors.Options{
+		AllowedOrigins:   strings.Split(viper.GetString("CORS_ALLOWED_ORIGINS"), ","),
+		AllowedMethods:   strings.Split(viper.GetString("CORS_ALLOWED_METHODS"), ","),
+		AllowedHeaders:   strings.Split(viper.GetString("CORS_ALLOWED_HEADERS"), ","),
+		ExposedHeaders:   strings.Split(viper.GetString("CORS_EXPOSED_HEADERS"), ","),
+		AllowCredentials: allowCredentials,
+		MaxAge:           maxAge,
+		Debug:            debug,
+	}
+}
+
 func RunHost(c *config.Config) func(cmd *cobra.Command, args []string) {
 	return func(cmd *cobra.Command, args []string) {
 		router := httprouter.New()
@@ -93,10 +113,11 @@ func RunHost(c *config.Config) func(cmd *cobra.Command, args []string) {
 		n.Use(negronilogrus.NewMiddlewareFromLogger(logger, c.Issuer))
 		n.UseFunc(serverHandler.rejectInsecureRequests)
 		n.UseHandler(router)
+		corsHandler := cors.New(parseCorsOptions()).Handler(n)
 
 		var srv = graceful.WithDefaults(&http.Server{
 			Addr:    c.GetAddress(),
-			Handler: context.ClearHandler(n),
+			Handler: context.ClearHandler(corsHandler),
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{getOrCreateTLSCertificate(cmd, c)},
 			},