fix(security): replace wildcard CORS on core RPC

[YOMXXX]

Summary

• Replaces wildcard Core RPC CORS behavior with an explicit allowlist for Tauri and loopback origins.
• Preserves existing Vary response values while appending Origin.
• Removes unsafe process-global env mutation from CORS tests by injecting env override input directly.
• Adds regression coverage for env override exact matching and existing Vary preservation.

Problem

• src/core/jsonrpc.rs emitted Access-Control-Allow-Origin: *, so any browser origin that obtained the bearer token could call the local RPC surface.
• The prior fix in fix(security): replace wildcard CORS on core RPC with origin allowlist #2266 addressed the core issue but still had two review blockers: unsafe env mutation in parallel Rust tests and overwriting existing Vary headers.
• I could not push directly to fix(security): replace wildcard CORS on core RPC with origin allowlist #2266's fork branch, so this PR carries the same security fix plus the review follow-ups.

Solution

• Keep is_origin_allowed(origin) as the production env-reading entry point.
• Add is_origin_allowed_with_extra(origin, extra_origins) so tests can exercise override parsing without mutating process-global environment.
• Change with_cors_headers from headers.insert(Vary, Origin) to headers.append(Vary, Origin).
• Add focused tests for existing Vary preservation and exact-match override behavior.

Submission Checklist

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy
• Diff coverage ≥ 80% — changed lines (Vitest + cargo-llvm-cov merged via diff-cover) meet the gate enforced by .github/workflows/coverage.yml. CI coverage gate must confirm this; local focused Rust tests cover the changed paths.
• Coverage matrix updated — N/A: security boundary fix covered by focused Rust tests; no feature matrix row added/removed/renamed.
• All affected feature IDs from the matrix are listed in the PR description under ## Related — N/A: no coverage-matrix feature row applies.
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• Manual smoke checklist updated if this touches release-cut surfaces — N/A: Core RPC header behavior only; no manual release checklist surface changed.
• Linked issue closed via Closes #NNN in the ## Related section

Impact

• Security: arbitrary non-allowlisted browser origins no longer receive ACAO for local Core RPC responses.
• Compatibility: Tauri webview origins, loopback dev/E2E origins, and non-browser callers remain supported.
• Operators can still add exact additional debug origins with OPENHUMAN_CORE_ALLOWED_ORIGINS.

Related

• Closes Security: Core RPC server uses wildcard CORS (Access-Control-Allow-Origin: *) #2262
• Supersedes fix(security): replace wildcard CORS on core RPC with origin allowlist #2266 because I do not have permission to push review fixes to leighstillard/fix/cors-allowlist.
• Follow-up PR(s)/TODOs: none.

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: fix/2262-cors-allowlist
• Commit SHA: 9d1341cff29ef1e1b08721885124ce3267f4a99d

Validation Run

• pnpm --filter openhuman-app format:check — N/A: Rust-only Core RPC change.
• pnpm typecheck — N/A: Rust-only Core RPC change.
• Focused tests: GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml cors_tests --lib — 8 passed.
• Rust fmt/check (if changed): cargo fmt --manifest-path Cargo.toml --all; GGML_NATIVE=OFF cargo check --manifest-path Cargo.toml --lib; git diff --check.
• Tauri fmt/check (if changed): N/A: Tauri shell unchanged.

Validation Blocked

• command: N/A
• error: N/A
• impact: N/A

Behavior Changes

• Intended behavior change: Core RPC only echoes Access-Control-Allow-Origin for allowlisted browser origins instead of wildcard *.
• User-visible effect: none expected for packaged app, loopback dev, E2E, or non-browser callers.

Parity Contract

• Legacy behavior preserved: Tauri origins, loopback origins, debug env overrides, CORS methods/headers/max-age, and no-Origin non-browser callers remain supported.
• Guard/fallback/dispatch parity checks: focused CORS unit tests cover allowed origins, denied origins, no-Origin callers, exact env override matching, and preserved Vary values.

Duplicate / Superseded PR Handling

• Duplicate PR(s): fix(security): replace wildcard CORS on core RPC with origin allowlist #2266
• Canonical PR: this PR if maintainers prefer an immediately updated branch; otherwise fix(security): replace wildcard CORS on core RPC with origin allowlist #2266 can cherry-pick 9d1341cff29ef1e1b08721885124ce3267f4a99d.
• Resolution (closed/superseded/updated): fix(security): replace wildcard CORS on core RPC with origin allowlist #2266 remains open; this PR carries the requested review fixes because direct push to the fork branch was denied.

Summary by CodeRabbit

• Bug Fixes

  • Tightened CORS handling to enforce an origin allowlist; only trusted local schemes and loopback addresses are allowed by default, and disallowed origins no longer receive CORS responses.

• Chores

  • Added support for configuring extra allowed origins via environment configuration.

• Tests

  • Added comprehensive tests for allowlist decisions, header emission (including Vary behavior), and edge cases.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b3f0101d-29fc-40ae-99cc-cbfa5753abfc

📥 Commits

Reviewing files that changed from the base of the PR and between 9d1341c and 862225e.

📒 Files selected for processing (1)

• src/core/jsonrpc.rs

💤 Files with no reviewable changes (1)

• src/core/jsonrpc.rs

---

📝 Walkthrough

Walkthrough

The JSON-RPC server's HTTP CORS handling is hardened by replacing Access-Control-Allow-Origin: * with an origin allowlist. Requests from Tauri webviews, loopback hosts, and configured debug origins echo their origin in the response; disallowed origins receive no Access-Control-Allow-Origin header, forcing the browser to block the response. Vary: Origin is added for correct cache behavior.

Changes

CORS Origin Allowlist

Layer / File(s)	Summary
Origin allowlist mechanism and CORS header handling src/core/jsonrpc.rs	Introduces is_origin_allowed_with_extra(origin, extra) and updates is_origin_allowed() to read OPENHUMAN_CORE_ALLOWED_ORIGINS once per call. Changes with_cors_headers(response, origin) to accept an optional Origin, append Vary: Origin, echo allowlisted origins in Access-Control-Allow-Origin, omit the header for disallowed origins, and preserve standard Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Max-Age.
CORS allowlist and header validation tests src/core/jsonrpc_cors_tests.rs	Adds tests that validate Tauri webview origins and loopback hosts (IPv4/IPv6) are allowed and echoed; disallowed and lookalike origins are rejected without Access-Control-Allow-Origin; missing Origin still results in Vary: Origin and no ACAO; env override allows exact-match extra origins (but not suffix lookalikes); and method/header/max-age CORS headers are always present.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• tinyhumansai/openhuman#2266: Similar change tightening CORS on src/core/jsonrpc.rs with an origin allowlist and corresponding tests.

Suggested labels

working

Suggested reviewers

• graycyrus

Poem

🐰 A wildcard once opened the door,
But now only trusted ones pass through for sure.
Tauri and loopback hop in line,
Origins checked — the headers align. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(security): replace wildcard CORS on core RPC' clearly and concisely summarizes the main security fix in the changeset.
Linked Issues check	✅ Passed	All code requirements from #2262 and #2266 are met: explicit origin allowlist for Tauri/loopback/env-override origins, echoing origin in ACAO header, Vary header support, rejection of disallowed origins, and comprehensive test coverage.
Out of Scope Changes check	✅ Passed	All changes directly support the stated objectives: CORS allowlist implementation, environment-variable configuration, test additions, and logging—with no unrelated modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[YOMXXX]

@senamakel #2328 已作为 #2266 的可合并替代 PR 打开并跑绿：24 success / 3 skipped / 0 pending / 0 failure，CodeRabbit approved，review threads 0 unresolved，当前 head 9d1341cff29ef1e1b08721885124ce3267f4a99d，mergeable。它包含 #2266 的 CORS allowlist 修复，并补了 CodeRabbit 要求的 env-test 安全和 Vary append 两个 review 点。麻烦再看一下。

[graycyrus]

Review — graycyrus

Solid security fix. The allowlist logic is clean, the test coverage is thorough, and this fully addresses the acceptance criteria in #2262.

What I checked

Area	Verdict
Origin parsing (Tauri, loopback, IPv6)	Correct — tested against lookalike/suffix attacks
Vary: Origin via append (not insert)	Correct — preserves existing Vary values
Env override exact-match only	Correct — no substring/suffix matching
with_cors_headers signature change (pub(super), new origin param)	Only called from cors_middleware + tests — no breakage
Test isolation (no env::set_var in parallel tests)	Properly uses is_origin_allowed_with_extra injection instead
Non-browser callers (no Origin header)	Unaffected — no ACAO emitted, other CORS headers still present

Observations (informational, not blocking)

• Access-Control-Allow-Methods, -Allow-Headers, and -Max-Age are still emitted for rejected origins. Not exploitable (browser blocks without ACAO), but slightly reveals server capabilities. Could gate those behind the allowlist check in a follow-up if desired.
• std::env::var is read per-request in is_origin_allowed. Negligible for a local RPC server, but if the env override feature sees real use, a cached read might be worth it.

No critical or major findings. LGTM — ready for maintainer approval.

[senamakel]

huge thanks @YOMXXX, locking down that wildcard cors with a proper allowlist is exactly the kind of hardening we love to see 🙌 extra points for killing the process-global env mutation in the tests too, way cleaner. thanks again for another solid one!