Use CORS middleware to allow RoomService use (#335)

go.mod

@@ -31,6 +31,7 @@ require (
 	github.com/pion/webrtc/v3 v3.1.14-0.20220107154618-d4b645635c44
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0
+	github.com/rs/cors v1.8.2
 	github.com/rs/zerolog v1.26.0
 	github.com/stretchr/testify v1.7.0
 	github.com/thoas/go-funk v0.8.0

go.sum

@@ -233,6 +233,8 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O
 github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/rs/cors v1.8.2 h1:KCooALfAYGs415Cwu5ABvv9n9509fSiG5SQJn/AQo4U=
+github.com/rs/cors v1.8.2/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.26.0 h1:ORM4ibhEZeTeQlCojCK2kPz1ogAY4bGs4tD+SaAdGaE=
 github.com/rs/zerolog v1.26.0/go.mod h1:yBiM87lvSqX8h0Ww4sdzNSkVYZ8dL2xjZJG1lAuGZEo=

pkg/service/server.go

@@ -16,6 +16,7 @@ import (
 	"github.com/livekit/protocol/utils"
 	"github.com/pion/turn/v2"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/rs/cors"
 	"github.com/urfave/negroni"
 
 	"github.com/livekit/livekit-server/pkg/config"
@@ -63,6 +64,10 @@ func NewLivekitServer(conf *config.Config,
 	middlewares := []negroni.Handler{
 		// always first
 		negroni.NewRecovery(),
+		// CORS is allowed, we rely on token authentication to prevent improper use
+		cors.New(cors.Options{
+			AllowedOrigins: []string{"*"},
+		}),
 	}
 	if keyProvider != nil {
 		middlewares = append(middlewares, NewAPIKeyAuthMiddleware(keyProvider))
@@ -109,6 +114,10 @@ func (s *LivekitServer) Node() *livekit.Node {
 	return s.currentNode
 }
 
+func (s *LivekitServer) HTTPPort() int {
+	return int(s.config.Port)
+}
+
 func (s *LivekitServer) IsRunning() bool {
 	return s.running.Get()
 }

test/singlenode_test.go

@@ -2,6 +2,8 @@ package test
 
 import (
 	"context"
+	"fmt"
+	"net/http"
 	"strings"
 	"testing"
 	"time"
@@ -304,3 +306,20 @@ func TestSingleNodeRoomList(t *testing.T) {
 
 	roomServiceListRoom(t)
 }
+
+// Ensure that CORS headers are returned
+func TestSingleNodeCORS(t *testing.T) {
+	if testing.Short() {
+		t.SkipNow()
+		return
+	}
+	s, finish := setupSingleNodeTest("TestSingleNodeCORS", testRoom)
+	defer finish()
+
+	req, err := http.NewRequest("GET", fmt.Sprintf("http://localhost:%d", s.HTTPPort()), nil)
+	require.NoError(t, err)
+	req.Header.Set("Origin", "testhost.com")
+	res, err := http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	require.Equal(t, "*", res.Header.Get("Access-Control-Allow-Origin"))
+}