Skip to main content

Admin & CORS — CMP Registry

Last updated: 2025-09-14

This guide explains how CORS is enforced by the Registry and how to allow the CMP docs/portal origins during development.

Overview

  • Public endpoints
    • /v1/config dynamically sets Access-Control-Allow-Origin to the requesting site’s origin if it matches an allowed domain for the site_key.
    • Strict mode is controlled by CORS_STRICT_CONFIG (on by default). When strict, unknown origins are denied (403).
  • Consent endpoint
    • /v1/consent enforces CORS by site; origin must match one of the site’s allowed domains.
  • Admin endpoints
    • /admin/* allow only origins listed in CORS_ADMIN_ALLOWED_ORIGINS.

Environment variables

  • CORS_ADMIN_ALLOWED_ORIGINS
    • CSV list of portal/docs origins allowed for admin API, e.g. http://localhost:4310,http://localhost:3002
    • Include any public hosts (dev/stage/prod) and optionally the registry host itself so Swagger “Try it out” works via same-origin.
  • CORS_STRICT_CONFIG
    • true (default): /v1/config requires origin to match the site’s allowed domains; otherwise 403.
    • false: unknown origins are allowed (useful for quick local demos).

Allow a docs/portal origin for a Site (dev)

Assumptions: registry base http://dev.digiwedge.com:3320/api, site key DEV_SITE_KEY, origin http://localhost:3002, token $TOKEN with cmp.admin.

Add domain

curl -i -X POST "http://dev.digiwedge.com:3320/admin/sites/by-key/DEV_SITE_KEY/domains" \
  -H "authorization: Bearer $TOKEN" \
  -H "content-type: application/json" \
  -H "Origin: http://localhost:3002" \
  --data '{"host":"localhost:3002"}'

Verify

curl -s "http://dev.digiwedge.com:3320/admin/sites/by-key/DEV_SITE_KEY/domains" \
  -H "authorization: Bearer $TOKEN" \
  -H "Origin: http://localhost:3002" | jq

Remove domain

curl -i -X DELETE "http://dev.digiwedge.com:3320/admin/sites/by-key/DEV_SITE_KEY/domains" \
  -H "authorization: Bearer $TOKEN" \
  -H "content-type: application/json" \
  -H "Origin: http://localhost:3002" \
  --data '{"host":"localhost:3002"}'

Helper script (optional)

You can use the repo helper to add/remove a domain for a site:

# Add
node tools/scripts/cmp-site-domain.mjs add \
  --site DEV_SITE_KEY --host localhost:3002 \
  --registry http://dev.digiwedge.com:3320/api \
  --token "$TOKEN" --origin http://localhost:3002

# Remove
node tools/scripts/cmp-site-domain.mjs remove \
  --site DEV_SITE_KEY --host localhost:3002 \
  --registry http://dev.digiwedge.com:3320/api \
  --token "$TOKEN" --origin http://localhost:3002

Troubleshooting

  • 403 on Admin: ensure CORS_ADMIN_ALLOWED_ORIGINS includes your origin; restart registry.
  • 403 on /v1/config: ensure the site’s allowed domains include your origin, or set CORS_STRICT_CONFIG=false for dev.
  • 429s: tune RATE_LIMIT_* envs (see Operator Checklist).