Configure non-simple CORS server-side

@dmjio says (probably correctly) that it's best to just serve the client from
the server and circumvent CORS issues altogether.

One day I will set that up. For now, this works... *sigh*

1 files changed, 13 insertions, 3 deletions

diff --git a/src/App.hs b/src/App.hs
index e5b8de7e7e7f..abd1bfba96bd 100644
--- a/src/App.hs
+++ b/src/App.hs
@@ -10,13 +10,14 @@ module App where
 import Control.Monad.IO.Class (liftIO)
 import Data.String.Conversions (cs)
 import Data.Text (Text)
-import Network.Wai.Handler.Warp as Warp
 import Servant
 import Servant.Server.Internal.ServerError
 import API
 import Utils
 import Web.Cookie
 
+import qualified Network.Wai.Handler.Warp as Warp
+import qualified Network.Wai.Middleware.Cors as Cors
 import qualified System.Random as Random
 import qualified Email as Email
 import qualified Crypto.KDF.BCrypt as BC
@@ -205,5 +206,14 @@ server config@T.Config{..} = createAccount
         pure NoContent
 
 run :: T.Config -> IO ()
-run config =
-  Warp.run 3000 (serve (Proxy @ API) $ server config)
+run config@T.Config{..} =
+  Warp.run 3000 (enforceCors $ serve (Proxy @ API) $ server config)
+  where
+    enforceCors = Cors.cors (const $ Just corsPolicy)
+    corsPolicy :: Cors.CorsResourcePolicy
+    corsPolicy =
+      Cors.simpleCorsResourcePolicy
+        { Cors.corsOrigins = Just ([cs configClient], True)
+        , Cors.corsMethods = Cors.simpleMethods ++ ["PUT", "PATCH", "DELETE", "OPTIONS"]
+        , Cors.corsRequestHeaders = Cors.simpleHeaders ++ ["Content-Type", "Authorization"]
+        }