chore: more explicit cors policy (#133)

Be explicit about origins, HTTP methods and HTTP headers in CORS policy
ithacaxyz · Jan 16, 2025 · 767d457 · 767d457
1 parent eab7a39
commit 767d457
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 9 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -221,9 +221,10 @@ metrics = "0.23.0"
 metrics-derive = "0.1.0"
 
 # rpc
+jsonrpsee = "0.24"
+hyper = "1.5"
 tower = "0.4"
 tower-http = { version = "0.6", features = ["cors"] }
-jsonrpsee = "0.24"
 
 # misc
 clap = "4"

diff --git a/bin/relay/Cargo.toml b/bin/relay/Cargo.toml
@@ -11,20 +11,21 @@ description = "Odyssey Relay is an EIP-7702 native transaction batcher and spons
 workspace = true
 
 [dependencies]
-alloy-signer-local.workspace = true
 alloy-primitives.workspace = true
 alloy-provider.workspace = true
 alloy-rpc-client.workspace = true
-odyssey-wallet.workspace = true
+alloy-signer-local.workspace = true
+clap = { workspace = true, features = ["derive", "env"] }
 eyre.workspace = true
+hyper.workspace = true
 jsonrpsee = { workspace = true, features = ["server"] }
-tracing.workspace = true
+odyssey-wallet.workspace = true
 reth-tracing.workspace = true
-clap = { workspace = true, features = ["derive", "env"] }
-url.workspace = true
 tokio = { workspace = true, features = ["rt", "macros"] }
-tower.workspace = true
 tower-http.workspace = true
+tower.workspace = true
+tracing.workspace = true
+url.workspace = true
 
 [features]
 default = []

diff --git a/bin/relay/src/main.rs b/bin/relay/src/main.rs
@@ -7,12 +7,13 @@ use alloy_rpc_client::RpcClient;
 use alloy_signer_local::PrivateKeySigner;
 use clap::Parser;
 use eyre::Context;
+use hyper::Method;
 use jsonrpsee::server::Server;
 use odyssey_wallet::{AlloyUpstream, OdysseyWallet, OdysseyWalletApiServer};
 use reth_tracing::Tracer;
 use std::net::{IpAddr, Ipv4Addr};
 use tower::ServiceBuilder;
-use tower_http::cors::CorsLayer;
+use tower_http::cors::{Any, CorsLayer};
 use tracing::info;
 use url::Url;
 
@@ -54,9 +55,13 @@ impl Args {
         let rpc = OdysseyWallet::new(AlloyUpstream::new(provider), chain_id).into_rpc();
 
         // start server
+        let cors = CorsLayer::new()
+            .allow_methods([Method::POST])
+            .allow_origin(Any)
+            .allow_headers([hyper::header::CONTENT_TYPE]);
         let server = Server::builder()
             .http_only()
-            .set_http_middleware(ServiceBuilder::new().layer(CorsLayer::permissive()))
+            .set_http_middleware(ServiceBuilder::new().layer(cors))
             .build((self.address, self.port))
             .await?;
         info!(addr = ?server.local_addr().unwrap(), "Started relay service");