Rails 5.1 CORS - how to set different origins for different environments

Question

I am using the rack-cors gem with a Rail 5.1 API.

I have the following initializer as per the documentation:

config/initializers/cors.rb

module Api
  Rails.application.config.middleware.insert_before 0, Rack::Cors do
    allow do
      origins ['http://localhost:4200','https://app.mydomain.com/']

      resource '*',
        headers: :any,
        :expose  => ['access-token', 'expiry', 'token-type', 'uid', 'client'],        
        methods: [:get, :post, :put, :patch, :delete, :options, :head]
    end
  end
end

However, this means that when deployed to production my api will accept requests from any localhost:4200 origin.

How can I separate these settings out so that different environments can have different allowed origins?

Answer 1

There are a few different options. One is to use secrets.yml file. There you can define different values per environment, let's say:

development:
  allowed_origins:
    - http://localhost:4200

production:
  allowed_origins:
    - http://productionurl1.com
    - http://productionurl2.com

Then in your configuration file you can do

module Api
  Rails.application.config.middleware.insert_before 0, Rack::Cors do
    allow do
      origins Rails.application.secrets.allowed_origins
    end
  end
end

Another option (taken from the comments) is to use the environment files, eg:

development.rb

config.allowed_cors_origins = ["http://localhost:4200"]

Then in the cors.rb initializer you can do:

Rails.application.config.allowed_cors_origins 

(since initializer will be called after the environment config file, this should work).

Answer 2

For anyone using rails 5.2, secrets.yml has been changed and now we need to use credentials. In order to use that, we need to edit config/credentials.yml.enc First, run the command EDITOR="atom --wait" rails credentials:edit (using the editor of your choosing). Then, add the origins as the accepted answer suggests:

development:
  allowed_origins:
   - http://localhost:4200

production:
  allowed_origins:
   - http://productionurl1.com
   - http://productionurl2.com

Save the file. Now the allowed origins variables will be in the encrypted file. And then in the cors initializer (in my case it was in application.rb)

config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins Rails.application.credentials[Rails.env.to_sym][:allowed_origins]
    resource '*',
    headers: :any,
    expose: ['access-token', 'expiry', 'token-type', 'uid', 'client'],
    methods: [:get, :post, :options, :delete, :put]
  end
end