fix(agent/security): Make CORS more restrictive and configurable

* By default, allow requests originating from http://localhost:{AP_SERVER_PORT} instead of all origins * Allow configuring allowed CORS origins through `AP_SERVER_CORS_ALLOWED_ORIGINS`
2024-02-28 21:14:49 +01:00 · 2024-02-28 21:14:49 +01:00 · ce45c9b267
parent 1881f4f7cd
commit ce45c9b267
2 changed files with 10 additions and 5 deletions
--- a/autogpts/autogpt/.env.template
+++ b/autogpts/autogpt/.env.template
@ -232,6 +232,8 @@ OPENAI_API_KEY=your-openai-api-key
 ### Agent Protocol Server Settings
 ################################################################################
 ## AP_SERVER_PORT - Specifies what port the agent protocol server will listen on. (Default: 8000)
+## AP_SERVER_DB_URL - Specifies what connection url the agent protocol database will connect to (Default: Internal SQLite)
+## AP_SERVER_CORS_ALLOWED_ORIGINS - Comma separated list of allowed origins for CORS. (Default: http://localhost:{AP_SERVER_PORT})
 # AP_SERVER_PORT=8000
-# # AP_SERVER_DB_URL - Specifies what connection url the agent protocol database will connect to (Default: Internal SQLite)
 # AP_SERVER_DB_URL=sqlite:///data/ap_server.db
+# AP_SERVER_CORS_ALLOWED_ORIGINS=
--- a/autogpts/autogpt/autogpt/app/agent_protocol_server.py
+++ b/autogpts/autogpt/autogpt/app/agent_protocol_server.py
@ -74,11 +74,14 @@ class AgentProtocolServer:
            version="v0.4",
        )

-        # Add CORS middleware
-        origins = [
-            "*",
-            # Add any other origins you want to whitelist
+        # Configure CORS middleware
+        default_origins = [f"http://localhost:{port}"]  # Default only local access
+        configured_origins = [
+            origin
+            for origin in os.getenv("AP_SERVER_CORS_ALLOWED_ORIGINS", "").split(",")
+            if origin  # Empty list if not configured
        ]
+        origins = configured_origins or default_origins

        app.add_middleware(
            CORSMiddleware,