feat: tunnel and proxy use dev mode always (#388)

The `--dev` flag essentially enabled wildcard cors. To make development easier, the flag has been removed and instead we will check if the user supplied specific CORS origins. If they did not, wildcard CORS is enabled.
ory · Oct 17, 2024 · 30b10d9 · 30b10d9
1 parent 98de179
commit 30b10d9
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 28 deletions.
diff --git a/cmd/cloudx/client/auth.go b/cmd/cloudx/client/auth.go
@@ -107,7 +107,7 @@ func (h *CommandHelper) Authenticate(ctx context.Context) error {
 	}
 
 	if config.AccessToken != nil {
-		_, _ = fmt.Fprintf(h.VerboseErrWriter, "You are already logged in. Use the logout command to log out.\n")
+		_, _ = fmt.Fprintf(h.VerboseErrWriter, "Using API key instead of a user session.\n")
 		return nil
 	}
 

diff --git a/cmd/cloudx/proxy/helpers.go b/cmd/cloudx/proxy/helpers.go
@@ -86,7 +86,7 @@ func registerConfigFlags(conf *config, flags *pflag.FlagSet) {
 	flags.Var(&conf.defaultRedirectTo, DefaultRedirectURLFlag, "Set the URL to redirect to per default after e.g. login or account creation.")
 	flags.StringSliceVar(&conf.corsOrigins, CORSFlag, []string{}, "A list of allowed CORS origins. Wildcards are allowed.")
 	flags.StringSliceVar(&conf.additionalCorsHeaders, AdditionalCORSHeadersFlag, []string{}, "A list of additional CORS headers to allow. Wildcards are allowed.")
-	flags.BoolVar(&conf.isDev, DevFlag, false, "Use this flag when developing locally.")
+	flags.BoolVar(&conf.isDev, DevFlag, true, "This flag is deprecated as the command is only supposed to be used during development.")
 	flags.BoolVar(&conf.isDebug, DebugFlag, false, "Use this flag to debug, for example, CORS requests.")
 	flags.BoolVar(&conf.rewriteHost, RewriteHostFlag, false, "Use this flag to rewrite the host header to the upstream host.")
 }
@@ -223,7 +223,7 @@ func runReverseProxy(ctx context.Context, h *client.CommandHelper, stdErr io.Wri
 	}
 
 	var originFunc func(r *http.Request, origin string) bool
-	if conf.isDev {
+	if len(conf.corsOrigins) == 0 {
 		originFunc = func(r *http.Request, origin string) bool {
 			return true
 		}
@@ -254,16 +254,21 @@ func runReverseProxy(ctx context.Context, h *client.CommandHelper, stdErr io.Wri
 	if conf.isTunnel {
 		_, _ = fmt.Fprintf(stdErr, `To access Ory's APIs, use URL
 
-	%[1]s
+	export ORY_SDK_URL=%[1]s # Linux / macOS
+	set ORY_SDK_URL=%[1]s # Windows CMD
+	$env:ORY_SDK_URL = "%[1]s" # Windows PowerShell
 
 and configure your SDKs to point to it, for example in JavaScript:
 
-	import { V0alpha2Api, Configuration } from '@ory/client'
-	const ory = new V0alpha2Api(new Configuration({
+	import { FrontendApi, Configuration } from '@ory/client-fetch'
+	const ory = new FrontendApi(new Configuration({
 	  basePath: '%[1]s',
 	  baseOptions: {
 		withCredentials: true
-	  }
+	  },
+	  headers: {
+	    Accept: "application/json"
+      }
 	}))
 
 `, conf.publicURL.String())

diff --git a/cmd/cloudx/proxy/proxy.go b/cmd/cloudx/proxy/proxy.go
@@ -22,11 +22,7 @@ func NewProxyCommand() *cobra.Command {
 		Use:   "proxy <application-url> [<publish-url>]",
 		Short: "Run your app and Ory on the same domain using a reverse proxy",
 		Args:  cobra.RangeArgs(1, 2),
-		Example: `{{.CommandPath}} http://localhost:3000 --dev
-{{.CommandPath}} http://localhost:3000 https://app.example.com \
-	--allowed-cors-origins https://www.example.org \
-	--allowed-cors-origins https://api.example.org \
-	--allowed-cors-origins https://www.another-app.com
+		Example: `{{.CommandPath}} http://localhost:3000
 `,
 		Long: `The Ory Proxy allows your application and Ory to run on the same domain by acting as a reverse proxy. It forwards all traffic to your application, ensuring that features like cookies and CORS function correctly during local development.
 
@@ -49,16 +45,27 @@ Once your project is ready, pass the project’s slug to the proxy command:
 
 ### Local development
 
-For local development, use the ` + "`--dev`" + ` flag to apply a relaxed security setting:
+For local development, use:
 
-		$ {{.CommandPath}} --dev --project <project-id-or-slug> http://localhost:3000
+		$ {{.CommandPath}} --project <project-id-or-slug> http://localhost:3000
 
 The first argument, ` + "`application-url`" + `, points to your application's location. If running both the proxy and your app on the same host, this could be ` + "`localhost`" + `. All traffic sent to the Ory Proxy will be forwarded to this URL.
 
-The second argument, ` + "`publish-url`" + `, is optional and only necessary for production scenarios. It specifies the public URL of your application (e.g., ` + "`https://www.example.org`" + `). If ` + "`publish-url`" + ` is not set, it defaults to the host and port the proxy listens on.
+The second argument, ` + "`publish-url`" + `, is optional and only necessary when the local app is not running on localhost. It specifies the public URL of your application (e.g., ` + "`https://www.example.org`" + `). If ` + "`publish-url`" + ` is not set, it defaults to the host and port the proxy listens on.
 
 **Important**: The Ory Proxy is intended for development use only and should not be used in production environments.
 
+### CORS
+
+You can restrict the CORS domains using the ` + "`--allowed-cors-origins`" + ` flag:
+
+		$ {{.CommandPath}} http://localhost:3000 https://app.example.com \
+			--allowed-cors-origins https://www.example.org \
+			--allowed-cors-origins https://api.example.org \
+			--allowed-cors-origins https://www.another-app.com
+
+Per default, CORS is enabled for all origins.
+
 ### Connecting in automated environments
 
 To connect the Ory Tunnel in automated environments, create a Project API Key for your project and set it as an environment variable:
@@ -89,8 +96,6 @@ If the proxy runs on a subdomain and you want Ory’s cookies (e.g., session coo
 
 		$ {{.CommandPath}} --project <project-id-or-slug> \
 		  --cookie-domain gateway.local \
-		  --allowed-cors-origins https://www.gateway.local \
-		  --allowed-cors-origins https://api.gateway.local \
 		  http://127.0.0.1:3000 \
 		  https://ory.gateway.local
 

diff --git a/cmd/cloudx/proxy/tunnel.go b/cmd/cloudx/proxy/tunnel.go
@@ -24,11 +24,7 @@ func NewTunnelCommand() *cobra.Command {
 		Use:   "tunnel <application-url> [<tunnel-url>]",
 		Short: "Mirror Ory APIs on your local machine for local development and testing",
 		Args:  cobra.RangeArgs(1, 2),
-		Example: `{{.CommandPath}} http://localhost:3000 --dev
-{{.CommandPath}} https://app.example.com \
-	--allowed-cors-origins https://www.example.org \
-	--allowed-cors-origins https://api.example.org \
-	--allowed-cors-origins https://www.another-app.com
+		Example: `{{.CommandPath}} http://localhost:3000
 `,
 		Long: fmt.Sprintf(`The Ory Tunnel mirrors Ory APIs on your local machine, allowing seamless development and testing. This setup is required for features such as CORS and cookie support, making it possible for Ory and your application to share the same top-level domain during development. To use the tunnel, authentication via `+"`ORY_PROJECT_API_KEY`"+` or browser-based sign-in is required.
 
@@ -62,11 +58,23 @@ This will prevent the browser window from opening.
 
 ### Local development
 
-When developing locally, use the --dev flag to enable a more relaxed security configuration:
+For local development, use:
 
-		$ {{.CommandPath}} --dev --project <project-id-or-slug> http://localhost:3000
+		$ {{.CommandPath}} --project <project-id-or-slug> http://localhost:3000
+
+### CORS
+
+You can restrict the CORS domains using the `+"`--allowed-cors-origins`"+` flag:
+
+		$ {{.CommandPath}} http://localhost:3000 https://app.example.com \
+			--allowed-cors-origins https://www.example.org \
+			--allowed-cors-origins https://api.example.org \
+			--allowed-cors-origins https://www.another-app.com
+
+Per default, CORS is enabled for all origins.
+
+### Running behind a gateway (development only)
 
-Running behind a gateway (development only)
 Important: The Ory Tunnel is designed for development purposes only and should not be used in production environments.
 
 If you need to run the tunnel behind a gateway during development, you can specify the optional second argument, tunnel-url, to define the domain where the Ory Tunnel will run (for example, https://ory.example.org).
@@ -76,9 +84,7 @@ Example:
 		$ {{.CommandPath}} --project <project-id-or-slug> \
 		  https://www.example.org \
 		  https://auth.example.org \
-		  --cookie-domain example.org \
-		  --allowed-cors-origins https://www.example.org \
-		  --allowed-cors-origins https://api.example.org
+		  --cookie-domain example.org
 
 Note: You cannot set a path in the `+"`tunnel-url`"+`.