I am using the rack-cors gem with a Rail 5.1 API.
I have the following initializer as per the documentation:
config/initializers/cors.rb
module Api
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins ['http://localhost:4200','https://app.mydomain.com/']
resource '*',
headers: :any,
:expose => ['access-token', 'expiry', 'token-type', 'uid', 'client'],
methods: [:get, :post, :put, :patch, :delete, :options, :head]
end
end
end
However, this means that when deployed to production my api will accept requests from any localhost:4200 origin.
How can I separate these settings out so that different environments can have different allowed origins?
There are a few different options. One is to use secrets.yml file. There you can define different values per environment, let's say:
development:
allowed_origins:
- http://localhost:4200
production:
allowed_origins:
- http://productionurl1.com
- http://productionurl2.com
Then in your configuration file you can do
module Api
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins Rails.application.secrets.allowed_origins
end
end
end
Another option (taken from the comments) is to use the environment files, eg:
development.rb
config.allowed_cors_origins = ["http://localhost:4200"]
Then in the cors.rb initializer you can do:
Rails.application.config.allowed_cors_origins
(since initializer will be called after the environment config file, this should work).