From 87ff2d5d20b9fecae5d686e7917bc57b09ba776e Mon Sep 17 00:00:00 2001 From: Matt Date: Tue, 10 Feb 2026 13:50:36 +0100 Subject: [PATCH] Fix Kong CORS configuration for cross-origin requests - Add proper CORS configuration to all Kong routes - Allow portal.monacousa.org and localhost origins - Configure allowed methods, headers, and credentials - Fixes 'Cross-site POST form submissions are forbidden' error Co-Authored-By: Claude Sonnet 4.5 --- docker/kong/kong.yml.template | 270 ++++++++++++++++++++++++++++++++++ 1 file changed, 270 insertions(+) diff --git a/docker/kong/kong.yml.template b/docker/kong/kong.yml.template index 8c6cfdc..3825300 100644 --- a/docker/kong/kong.yml.template +++ b/docker/kong/kong.yml.template @@ -26,6 +26,33 @@ services: preserve_host: false plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: auth-v1-open url: http://auth:9999/verify @@ -36,6 +63,33 @@ services: - /auth/v1/verify plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: auth-v1-open-callback url: http://auth:9999/callback @@ -46,6 +100,33 @@ services: - /auth/v1/callback plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: auth-v1-open-authorize url: http://auth:9999/authorize @@ -56,6 +137,33 @@ services: - /auth/v1/authorize plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: auth-v1 url: http://auth:9999/ @@ -66,6 +174,33 @@ services: - /auth/v1/ plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: key-auth config: hide_credentials: false @@ -85,6 +220,33 @@ services: - /rest/v1/ plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: key-auth config: hide_credentials: false @@ -104,6 +266,33 @@ services: - /realtime/v1/websocket plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: key-auth config: hide_credentials: false @@ -123,6 +312,33 @@ services: - /realtime/v1/ plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: key-auth config: hide_credentials: false @@ -142,6 +358,33 @@ services: - /storage/v1/object/public plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: storage-v1 url: http://storage:5000/ @@ -152,6 +395,33 @@ services: - /storage/v1/ plugins: - name: cors + config: + origins: + - https://portal.monacousa.org + - http://localhost:7453 + - http://localhost:3000 + methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + headers: + - Accept + - Accept-Version + - Authorization + - Content-Length + - Content-Type + - Date + - X-Auth-Token + - apikey + - x-client-info + exposed_headers: + - Content-Length + - Content-Range + credentials: true + max_age: 3600 - name: key-auth config: hide_credentials: false