Skip to content

[FEAT] Per-Merchant CORS Origin Configuration #19

Open
#32
Open
[FEAT] Per-Merchant CORS Origin Configuration#19
#32
Assignees
Jaydbrown
Labels
GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official CampaignenhancementNew feature or requesthelp-wantedpriority:mediumsecurity

Description

@oomokaro1
oomokaro1
opened on Jun 18, 2026

[FEAT] Per-Merchant CORS Origin Configuration

Priority: Medium

Difficulty: Medium
Estimated Effort: 1-2 days
Relevant Packages: OrbitStream_backend/, orbitstream_docs/
Labels: enhancement, security, priority:medium

Requirements

1. Merchant Origin Storage

  • Add cors_origins JSONB column to merchants table
  • Store array of allowed origins: ["https://myshop.com", "https://staging.myshop.com"]
  • Maximum 10 origins per merchant

2. Origin CRUD API

  • GET /merchants/me/cors — list configured origins (JWT auth)
  • PUT /merchants/me/cors — set origins (JWT auth)
    • Body: { "origins": ["https://example.com"] }
    • Validate each origin is a valid URL with https scheme
    • Maximum 10 origins
  • DELETE /merchants/me/cors/:origin — remove a specific origin

3. CORS Middleware Integration

  • The dynamic CORS middleware checks the merchant's configured origins
  • For checkout session endpoints (/v1/checkout/sessions/:id), allow the merchant's configured origins
  • Cache merchant origins in Redis (5-minute TTL)

4. Validation

  • Only HTTPS origins allowed in production
  • No wildcards (*) allowed
  • No localhost in production
  • Maximum 10 origins per merchant
  • Each origin must be a valid URL

5. Testing

  • Unit test: origin validation (valid, invalid, localhost in prod)
  • Unit test: maximum origins enforced
  • Integration test: request from merchant's configured origin succeeds
  • Integration test: request from unconfigured origin is rejected

Metadata

Metadata

Assignees

Labels

GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official CampaignenhancementNew feature or requesthelp-wantedpriority:mediumsecurity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions