feat(api): implement CORS support with environment-based configuration

- Add CORS headers to all API responses in main.lua - Implement OPTIONS preflight request handling - Add environment-variable based CORS origin configuration - Create production.env.example for deployment documentation - Update .env.example with CORS_ALLOWED_ORIGINS setting Resolves cross-origin request blocking for Hugo dev server integration. CORS origins now configurable via CORS_ALLOWED_ORIGINS environment variable for production deployments while maintaining dev-friendly defaults. Related to #49
2025-06-24 19:42:44 +02:00 · 2025-06-24 19:42:44 +02:00 · 445e751c16
commit 445e751c16
parent 9ea0cb43e4
3 changed files with 123 additions and 25 deletions
--- a/furt-lua/config/server.lua
+++ b/furt-lua/config/server.lua
@ -9,6 +9,31 @@ return {
    -- Timeouts (seconds)
    client_timeout = 10,
    
+    -- CORS Configuration
+    cors = {
+        -- Default allowed origins for development
+        -- Override in production with CORS_ALLOWED_ORIGINS environment variable
+        allowed_origins = (function()
+            local env_origins = os.getenv("CORS_ALLOWED_ORIGINS")
+            if env_origins then
+                -- Parse comma-separated list from environment
+                local origins = {}
+                for origin in env_origins:gmatch("([^,]+)") do
+                    table.insert(origins, origin:match("^%s*(.-)%s*$")) -- trim whitespace
+                end
+                return origins
+            else
+                -- Default development origins
+                return {
+                    "http://localhost:1313",      -- Hugo dev server
+                    "http://127.0.0.1:1313",     -- Hugo dev server alternative
+                    "http://localhost:3000",     -- Common dev port
+                    "http://127.0.0.1:3000"      -- Common dev port alternative
+                }
+            end
+        end)()
+    },
+    
    -- Logging
    log_level = "info",
    log_requests = true,