Skip to content

Migrate CORS middleware to lib-commons chttp.WithCORS() across all components #1978

Open
Open
Migrate CORS middleware to lib-commons chttp.WithCORS() across all components#1978
Labels
refactorRefactor the codesecurity
@gandalf-at-lerian

Description

@gandalf-at-lerian
gandalf-at-lerian
opened on Mar 24, 2026

Context

The plugins (plugin-auth, plugin-identity) have already migrated from Fiber's cors.New() to lib-commons v4's chttp.WithCORS(). Midaz components still use cors.New() directly.

Problem

  • Inconsistent CORS behavior between Midaz and plugins
  • No security warnings when CORS wildcard (*) is used in production
  • No integration with the security tier configuration
  • Each component configures CORS independently with potentially different settings

Proposed Change

Replace cors.New() with chttp.WithCORS() from lib-commons v4 in all Midaz components:

  • ledger
  • transaction
  • plugin-crm
  • onboarding

What chttp.WithCORS() provides

  • Configurable via environment variables (consistent across services)
  • Security warnings when wildcard origins are used
  • Integration with the security tier model
  • Same behavior already running in plugins

Acceptance Criteria

  • All four components use chttp.WithCORS() instead of cors.New()
  • CORS configuration is driven by env vars (aligned with plugin pattern)
  • No wildcard CORS in production environments (or explicit warning logged)
  • Existing CORS behavior preserved for development environments

Metadata

Metadata

Assignees

No one assigned

    Labels

    refactorRefactor the codesecurity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions