fix(agent/security): Make CORS more restrictive and configurable

* By default, allow requests originating from http://localhost:{AP_SERVER_PORT} instead of all origins
* Allow configuring allowed CORS origins through `AP_SERVER_CORS_ALLOWED_ORIGINS`

autogpts/autogpt/.env.template

@@ -232,6 +232,8 @@ OPENAI_API_KEY=your-openai-api-key
 ### Agent Protocol Server Settings
 ################################################################################
 ## AP_SERVER_PORT - Specifies what port the agent protocol server will listen on. (Default: 8000)
+## AP_SERVER_DB_URL - Specifies what connection url the agent protocol database will connect to (Default: Internal SQLite)
+## AP_SERVER_CORS_ALLOWED_ORIGINS - Comma separated list of allowed origins for CORS. (Default: http://localhost:{AP_SERVER_PORT})
 # AP_SERVER_PORT=8000
-# # AP_SERVER_DB_URL - Specifies what connection url the agent protocol database will connect to (Default: Internal SQLite)
 # AP_SERVER_DB_URL=sqlite:///data/ap_server.db
+# AP_SERVER_CORS_ALLOWED_ORIGINS=

autogpts/autogpt/autogpt/app/agent_protocol_server.py

@@ -74,11 +74,14 @@ class AgentProtocolServer:
             version="v0.4",
         )
 
-        # Add CORS middleware
+        # Configure CORS middleware
-        origins = [
+        default_origins = [f"http://localhost:{port}"]  # Default only local access
-            "*",
+        configured_origins = [
-            # Add any other origins you want to whitelist
+            origin
+            for origin in os.getenv("AP_SERVER_CORS_ALLOWED_ORIGINS", "").split(",")
+            if origin  # Empty list if not configured
         ]
+        origins = configured_origins or default_origins
 
         app.add_middleware(
             CORSMiddleware,