[SEC] restrict CORS to authorized extension IDs

Fixes a security issue where any Firefox extension (moz-extension://.*) could access the ActivityWatch server without any restriction.

Previously, the CORS configuration included a wildcard for all Mozilla extensions.
This commit removes that blanket permission and introduces logic to parse specific
authorized extension IDs from the server settings.

Since manually adding extension URIs can be technical for non-developers, we've
consolidated the configuration into a single 'Cors' field in the settings UI.
The server automatically sorts these into exact matches (for http/https) or
regex matches (for browser extensions), ensuring a simpler and more secure
configuration experience.

Dependent on: odoo/aw-webui#1

Author: RaoufGhrissi

.gitignore

@@ -10,3 +10,5 @@ NDK
 *.sqlite*
 *.db
 *.db-journal
+
+.vscode

Cargo.lock

@@ -34,6 +34,7 @@ aw-datastore = { path = "../aw-datastore" }
 aw-models = { path = "../aw-models" }
 aw-transform = { path = "../aw-transform" }
 aw-query = { path = "../aw-query" }
+regex = "1.12.3"
 
 [target.'cfg(target_os="linux")'.dependencies]
 sd-notify = "0.4.2"

aw-server/Cargo.toml

@@ -36,6 +36,24 @@ pub struct AWConfig {
     #[serde(default = "default_cors")]
     pub cors_regex: Vec<String>,
 
+    #[serde(default = "default_true")]
+    pub allow_aw_chrome_extension: bool,
+
+    #[serde(default = "default_false")]
+    pub allow_all_mozilla_extension: bool,
+
+    #[serde(default = "default_cors")]
+    pub cors_from_settings: Vec<String>,
+
+    #[serde(default = "default_cors")]
+    pub cors_regex_from_settings: Vec<String>,
+
+    #[serde(skip)]
+    pub allow_aw_chrome_extension_from_settings: Option<bool>,
+
+    #[serde(skip)]
+    pub allow_all_mozilla_extension_from_settings: Option<bool>,
+
     // A mapping of watcher names to paths where the
     // custom visualizations are located.
     #[serde(default = "default_custom_static")]
@@ -50,6 +68,12 @@ impl Default for AWConfig {
             testing: default_testing(),
             cors: default_cors(),
             cors_regex: default_cors(),
+            allow_aw_chrome_extension: default_true(),
+            allow_all_mozilla_extension: default_false(),
+            cors_from_settings: default_cors(),
+            cors_regex_from_settings: default_cors(),
+            allow_aw_chrome_extension_from_settings: None,
+            allow_all_mozilla_extension_from_settings: None,
             custom_static: default_custom_static(),
         }
     }
@@ -91,6 +115,14 @@ fn default_testing() -> bool {
     is_testing()
 }
 
+fn default_true() -> bool {
+    true
+}
+
+fn default_false() -> bool {
+    false
+}
+
 fn default_port() -> u16 {
     if is_testing() {
         5666

aw-server/src/config.rs

@@ -8,20 +8,29 @@ pub fn cors(config: &AWConfig) -> rocket_cors::Cors {
     let root_url_localhost = format!("http://localhost:{}", config.port);
     let mut allowed_exact_origins = vec![root_url, root_url_localhost];
     allowed_exact_origins.extend(config.cors.clone());
+    allowed_exact_origins.extend(config.cors_from_settings.clone());
 
-    if config.testing {
-        allowed_exact_origins.push("http://127.0.0.1:27180".to_string());
-        allowed_exact_origins.push("http://localhost:27180".to_string());
+    let mut allowed_regex_origins = config.cors_regex.clone();
+    allowed_regex_origins.extend(config.cors_regex_from_settings.clone());
+
+    // Settings-based flags override file-based config flags
+    let allow_chrome = config.allow_aw_chrome_extension_from_settings
+        .unwrap_or(config.allow_aw_chrome_extension);
+    if allow_chrome {
+        allowed_regex_origins.push("chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi".to_string());
     }
-    let mut allowed_regex_origins = vec![
-        "chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi".to_string(),
-        // Every version of a mozilla extension has its own ID to avoid fingerprinting, so we
-        // unfortunately have to allow all extensions to have access to aw-server
-        "moz-extension://.*".to_string(),
-    ];
-    allowed_regex_origins.extend(config.cors_regex.clone());
+
+    let allow_mozilla = config.allow_all_mozilla_extension_from_settings
+        .unwrap_or(config.allow_all_mozilla_extension);
+    if allow_mozilla {
+        allowed_regex_origins.push("moz-extension://.*".to_string());
+    }
+
     if config.testing {
-        allowed_regex_origins.push("chrome-extension://.*".to_string());
+        allowed_exact_origins.extend(vec![
+            "http://127.0.0.1:27180".to_string(), 
+            "http://localhost:27180".to_string(),
+        ]);
     }
 
     let allowed_origins = AllowedOrigins::some(&allowed_exact_origins, &allowed_regex_origins);
@@ -31,7 +40,6 @@ pub fn cors(config: &AWConfig) -> rocket_cors::Cors {
         .collect();
     let allowed_headers = AllowedHeaders::all(); // TODO: is this unsafe?
 
-    // You can also deserialize this
     rocket_cors::CorsOptions {
         allowed_origins,
         allowed_methods,

aw-server/src/endpoints/cors.rs

@@ -127,11 +127,44 @@ fn get_file(file: PathBuf, state: &State<ServerState>) -> Option<(ContentType, V
     Some((content_type, asset))
 }
 
-pub fn build_rocket(server_state: ServerState, config: AWConfig) -> rocket::Rocket<rocket::Build> {
+pub fn build_rocket(server_state: ServerState, mut config: AWConfig) -> rocket::Rocket<rocket::Build> {
     info!(
         "Starting aw-server-rust at {}:{}",
         config.address, config.port
     );
+    {
+        let db = server_state.datastore.lock().unwrap();
+        let parse_cors_list = |raw: String| -> Vec<String> {
+            serde_json::from_str::<String>(&raw)
+                .unwrap_or_default()
+                .split(',')
+                .map(|s| s.trim().to_string())
+                .filter(|s| !s.is_empty())
+                .collect()
+        };
+        let parse_bool = |raw: String| -> Option<bool> {
+            serde_json::from_str::<bool>(&raw)
+                .ok()
+                .or_else(|| {
+                    if raw == "true" { Some(true) }
+                    else if raw == "false" { Some(false) }
+                    else { None }
+                })
+        };
+
+        if let Ok(raw) = db.get_key_value("settings.cors") {
+            config.cors_from_settings = parse_cors_list(raw);
+        }
+        if let Ok(raw) = db.get_key_value("settings.cors_regex") {
+            config.cors_regex_from_settings = parse_cors_list(raw);
+        }
+        if let Ok(raw) = db.get_key_value("settings.allow_aw_chrome_extension") {
+            config.allow_aw_chrome_extension_from_settings = parse_bool(raw);
+        }
+        if let Ok(raw) = db.get_key_value("settings.allow_all_mozilla_extension") {
+            config.allow_all_mozilla_extension_from_settings = parse_bool(raw);
+        }
+    } // lock released here
     let cors = cors::cors(&config);
     let hostcheck = hostcheck::HostCheck::new(&config);
     let custom_static = config.custom_static.clone();