From 8943a29f9a348ccf0c27733e6432639d944e895b Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Fri, 26 Dec 2025 02:50:40 +0100
Subject: [PATCH 1/5] Add a way to define CORS origins using environment
 variables

---
 .env.example       |  7 +++-
 docker-compose.yml |  1 +
 src/http/mod.rs    | 91 +++++++++++++++++++++++++++++++++++++---------
 3 files changed, 81 insertions(+), 18 deletions(-)

diff --git a/.env.example b/.env.example
index 8829a0c..17067dd 100644
--- a/.env.example
+++ b/.env.example
@@ -12,4 +12,9 @@ WEBHOOK_PINGS="<@&role_id> <@user_id>"
 ADMIN_PASSWORD=supersecret
 
 # used for kept video access
-PUBLIC_URL=https://vertd.your-domain.here
\ No newline at end of file
+PUBLIC_URL=https://vertd.your-domain.here
+
+# CORS origins setup
+# Can either be "*" or comma separated origins: "https://origin1.com,https://origin2.com"
+# If not defined, fall back automatically to *
+CORS_ORIGINS=*
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 82f2067..871414c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,6 +8,7 @@ services:
       - WEBHOOK_PINGS=${WEBHOOK_PINGS}
       - ADMIN_PASSWORD=${ADMIN_PASSWORD}
       - PUBLIC_URL=${PUBLIC_URL}
+      - CORS_ORIGINS=${CORS_ORIGINS:-*}
     ports:
       - "${PORT:-24153}:24153"
 
diff --git a/src/http/mod.rs b/src/http/mod.rs
index 86928c5..fb8ee5d 100644
--- a/src/http/mod.rs
+++ b/src/http/mod.rs
@@ -8,16 +8,75 @@ use crate::http::services::keep::keep;
 mod response;
 mod services;
 
+#[derive(Clone, Debug)]
+enum CorsConfig {
+    Any,
+    Specific(Vec<String>),
+}
+
+fn parse_cors(origins_raw: &str) -> CorsConfig {
+    let raw = origins_raw.trim();
+
+    if raw.is_empty() || raw == "*" {
+        return CorsConfig::Any;
+    }
+
+    let origins = raw
+        .split(',')
+        .map(str::trim)
+        .filter(|s| !s.is_empty())
+        .map(String::from)
+        .collect::<Vec<_>>();
+
+    CorsConfig::Specific(origins)
+}
+
+fn build_cors(config: &CorsConfig) -> Cors {
+    match config {
+        CorsConfig::Any => Cors::default()
+            .allow_any_origin()
+            .allow_any_method()
+            .allow_any_header(),
+
+        CorsConfig::Specific(origins) => {
+            let mut cors = Cors::default().allow_any_method().allow_any_header();
+
+            for origin in origins {
+                cors = cors.allowed_origin(origin);
+            }
+
+            cors
+        }
+    }
+}
+
 pub async fn start_http() -> anyhow::Result<()> {
-    let server = HttpServer::new(|| {
-        App::new()
-            .wrap(
-                Cors::default()
-                    .allow_any_origin()
-                    .allow_any_method()
-                    .allow_any_header(),
-            )
-            .service(
+    let cors_origins = std::env::var("CORS_ORIGINS").unwrap_or_else(|_| "*".to_string());
+    let cors_config = parse_cors(&cors_origins);
+
+    match &cors_config {
+        CorsConfig::Any => info!("CORS: allow any origin (*)"),
+        CorsConfig::Specific(origins) => {
+            info!("CORS: allowed origins:");
+            for origin in origins {
+                info!("  - {}", origin);
+            }
+        }
+    }
+
+    let port = std::env::var("PORT").unwrap_or_else(|_| "24153".to_string());
+    if !port.chars().all(char::is_numeric) {
+        anyhow::bail!("PORT must be a number");
+    }
+    let ip = format!("0.0.0.0:{port}");
+    info!("http server starting on {}", ip);
+
+    HttpServer::new({
+        let cors_config = cors_config.clone(); // moved into the closure
+        move || {
+            let cors = build_cors(&cors_config);
+
+            App::new().wrap(cors).service(
                 web::scope("/api")
                     .service(upload)
                     .service(download)
@@ -25,13 +84,11 @@ pub async fn start_http() -> anyhow::Result<()> {
                     .service(version)
                     .service(keep),
             )
-    });
-    let port = std::env::var("PORT").unwrap_or_else(|_| "24153".to_string());
-    if !port.chars().all(char::is_numeric) {
-        anyhow::bail!("PORT must be a number");
-    }
-    let ip = format!("0.0.0.0:{}", port);
-    info!("http server listening on {}", ip);
-    server.bind(ip)?.run().await?;
+        }
+    })
+    .bind(ip)?
+    .run()
+    .await?;
+
     Ok(())
 }

From 81b8cc58252a7a6fe2ea250206daee15812a4d3e Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Fri, 26 Dec 2025 04:33:58 +0100
Subject: [PATCH 2/5] Add a way to define CORS origins using environment
 variables

---
 src/http/mod.rs | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/src/http/mod.rs b/src/http/mod.rs
index fb8ee5d..483038f 100644
--- a/src/http/mod.rs
+++ b/src/http/mod.rs
@@ -64,14 +64,7 @@ pub async fn start_http() -> anyhow::Result<()> {
         }
     }
 
-    let port = std::env::var("PORT").unwrap_or_else(|_| "24153".to_string());
-    if !port.chars().all(char::is_numeric) {
-        anyhow::bail!("PORT must be a number");
-    }
-    let ip = format!("0.0.0.0:{port}");
-    info!("http server starting on {}", ip);
-
-    HttpServer::new({
+    let server = HttpServer::new({
         let cors_config = cors_config.clone(); // moved into the closure
         move || {
             let cors = build_cors(&cors_config);
@@ -85,10 +78,14 @@ pub async fn start_http() -> anyhow::Result<()> {
                     .service(keep),
             )
         }
-    })
-    .bind(ip)?
-    .run()
-    .await?;
+    });
 
+    let port = std::env::var("PORT").unwrap_or_else(|_| "24153".to_string());
+    if !port.chars().all(char::is_numeric) {
+        anyhow::bail!("PORT must be a number");
+    }
+    let ip = format!("0.0.0.0:{port}");
+    info!("http server listening on {}", ip);
+    server.bind(ip)?.run().await?;
     Ok(())
 }

From e02257dae0844a7ad3d382bb7dcb5d241a7344ed Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Fri, 26 Dec 2025 04:34:48 +0100
Subject: [PATCH 3/5] Add a way to define CORS origins using environment
 variables

---
 src/http/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/http/mod.rs b/src/http/mod.rs
index 483038f..85b5b7b 100644
--- a/src/http/mod.rs
+++ b/src/http/mod.rs
@@ -65,7 +65,7 @@ pub async fn start_http() -> anyhow::Result<()> {
     }
 
     let server = HttpServer::new({
-        let cors_config = cors_config.clone(); // moved into the closure
+        let cors_config = cors_config.clone();
         move || {
             let cors = build_cors(&cors_config);
 

From 108ba86532a1d1b8db423ad968f37a4e1ea0f729 Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Fri, 26 Dec 2025 04:35:27 +0100
Subject: [PATCH 4/5] Add a way to define CORS origins using environment
 variables

---
 src/http/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/http/mod.rs b/src/http/mod.rs
index 85b5b7b..236c1a1 100644
--- a/src/http/mod.rs
+++ b/src/http/mod.rs
@@ -84,7 +84,7 @@ pub async fn start_http() -> anyhow::Result<()> {
     if !port.chars().all(char::is_numeric) {
         anyhow::bail!("PORT must be a number");
     }
-    let ip = format!("0.0.0.0:{port}");
+    let ip = format!("0.0.0.0:{}", port);
     info!("http server listening on {}", ip);
     server.bind(ip)?.run().await?;
     Ok(())

From a6255131d5abf7785e355b0ab6037bce0e8ee142 Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Fri, 26 Dec 2025 04:44:24 +0100
Subject: [PATCH 5/5] Add a way to define CORS origins using environment
 variables

---
 src/http/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/http/mod.rs b/src/http/mod.rs
index 236c1a1..1b27d58 100644
--- a/src/http/mod.rs
+++ b/src/http/mod.rs
@@ -8,7 +8,7 @@ use crate::http::services::keep::keep;
 mod response;
 mod services;
 
-#[derive(Clone, Debug)]
+#[derive(Clone)]
 enum CorsConfig {
     Any,
     Specific(Vec<String>),