From c2d57bc5a259aaefa1f3a3c57ca3471dc72d9dde Mon Sep 17 00:00:00 2001
From: Gabriel Kaszewski <gabrielkaszewski@gmail.com>
Date: Fri, 26 Dec 2025 00:52:37 +0100
Subject: [PATCH] feat: implement configurable CORS origins and remove
 redundant comments

---
 notes-api/src/main.rs | 59 +++++++++++++++++++------------------------
 1 file changed, 26 insertions(+), 33 deletions(-)

diff --git a/notes-api/src/main.rs b/notes-api/src/main.rs
index 6a50a97..f36598c 100644
--- a/notes-api/src/main.rs
+++ b/notes-api/src/main.rs
@@ -54,7 +54,6 @@ async fn main() -> anyhow::Result<()> {
         .map_err(|e| anyhow::anyhow!(e))?;
 
     // Run migrations
-    // The factory/infra layer abstracts the database type
     if let Err(e) = run_migrations(&pool).await {
         tracing::warn!(
             "Migration error (might be expected if not implemented for this DB): {}",
@@ -128,42 +127,37 @@ async fn main() -> anyhow::Result<()> {
         .with_secure(false) // Set to true in production with HTTPS
         .with_expiry(Expiry::OnInactivity(Duration::seconds(60 * 60 * 24 * 7))); // 7 days
 
-    // Auth layer
     let auth_layer = AuthManagerLayerBuilder::new(backend, session_layer).build();
 
-    // Parse CORS origins
-    // let mut cors = CorsLayer::new()
-    //     .allow_methods([
-    //         axum::http::Method::GET,
-    //         axum::http::Method::POST,
-    //         axum::http::Method::PATCH,
-    //         axum::http::Method::DELETE,
-    //         axum::http::Method::OPTIONS,
-    //     ])
-    //     .allow_headers([
-    //         axum::http::header::AUTHORIZATION,
-    //         axum::http::header::ACCEPT,
-    //         axum::http::header::CONTENT_TYPE,
-    //     ])
-    //     .allow_credentials(true);
-    let mut cors = CorsLayer::very_permissive();
+    let mut cors = CorsLayer::new()
+        .allow_methods([
+            axum::http::Method::GET,
+            axum::http::Method::POST,
+            axum::http::Method::PATCH,
+            axum::http::Method::DELETE,
+            axum::http::Method::OPTIONS,
+        ])
+        .allow_headers([
+            axum::http::header::AUTHORIZATION,
+            axum::http::header::ACCEPT,
+            axum::http::header::CONTENT_TYPE,
+        ])
+        .allow_credentials(true);
 
-    // Add allowed origins
-    // let mut allowed_origins = Vec::new();
-    // for origin in &config.cors_allowed_origins {
-    //     tracing::debug!("Allowing CORS origin: {}", origin);
-    //     if let Ok(value) = origin.parse::<axum::http::HeaderValue>() {
-    //         allowed_origins.push(value);
-    //     } else {
-    //         tracing::warn!("Invalid CORS origin: {}", origin);
-    //     }
-    // }
+    let mut allowed_origins = Vec::new();
+    for origin in &config.cors_allowed_origins {
+        tracing::debug!("Allowing CORS origin: {}", origin);
+        if let Ok(value) = origin.parse::<axum::http::HeaderValue>() {
+            allowed_origins.push(value);
+        } else {
+            tracing::warn!("Invalid CORS origin: {}", origin);
+        }
+    }
 
-    // if !allowed_origins.is_empty() {
-    //     cors = cors.allow_origin(allowed_origins);
-    // }
+    if !allowed_origins.is_empty() {
+        cors = cors.allow_origin(allowed_origins);
+    }
 
-    // Build the application
     let app = Router::new()
         .nest("/api/v1", routes::api_v1_router())
         .layer(auth_layer)
@@ -171,7 +165,6 @@ async fn main() -> anyhow::Result<()> {
         .layer(TraceLayer::new_for_http())
         .with_state(state);
 
-    // Start the server
     let addr = format!("{}:{}", config.host, config.port);
     let listener = tokio::net::TcpListener::bind(&addr).await?;