security: configurable CORS origins, limit sentinel response body

- Add CORS_ALLOWED_ORIGINS config (comma-separated origins, default allow-all)
- CORS middleware now validates Origin header against allowlist
- Add io.LimitReader to sentinel.go (was unbounded, now 256KB)
- Include previous: agent chat auth middleware + frontend token header
This commit is contained in:
shinchan-zhai
2026-03-23 09:53:49 +08:00
parent 2b969ee668
commit 6acf925a0b
7 changed files with 88 additions and 7 deletions

View File

@@ -38,6 +38,11 @@ type Config struct {
// Set EXPERIENCE_IMPROVEMENT=false to disable
ExperienceImprovement bool
// CORS configuration
// Comma-separated list of allowed origins. Empty or "*" means allow all.
// Example: "http://localhost:5173,https://nofx.example.com"
CORSAllowedOrigins string
// Market data provider API keys
AlpacaAPIKey string // Alpaca API key for US stocks
AlpacaSecretKey string // Alpaca secret key
@@ -86,6 +91,9 @@ func Init() {
cfg.ExperienceImprovement = strings.ToLower(v) != "false"
}
// CORS allowed origins (comma-separated, empty = allow all)
cfg.CORSAllowedOrigins = os.Getenv("CORS_ALLOWED_ORIGINS")
// Market data provider API keys
cfg.AlpacaAPIKey = os.Getenv("ALPACA_API_KEY")
cfg.AlpacaSecretKey = os.Getenv("ALPACA_SECRET_KEY")