add cors support

pkg/config/config_test.go

@@ -36,6 +36,8 @@ var testDefaultConfig = &AppConfig{
 		LogRequests:           false,
 		EnableReflection:      true,
 		EnableInstrumentation: true,
+		EnableGRPCGateway:     true,
+		GRPCGatewayPath:       "/grpc-api",
 	},
 	OTEL: &OTELConfig{
 		Enabled:            true,
@@ -90,6 +92,8 @@ func Test_loadConfig(t *testing.T) {
 					LogRequests:           false,
 					EnableReflection:      true,
 					EnableInstrumentation: true,
+					EnableGRPCGateway:     true,
+					GRPCGatewayPath:       "/grpc-api",
 				},
 				OTEL: &OTELConfig{
 					Enabled:            true,
@@ -128,6 +132,8 @@ func Test_loadConfig(t *testing.T) {
 					LogRequests:           true,
 					EnableReflection:      false,
 					EnableInstrumentation: false,
+					EnableGRPCGateway:     true,
+					GRPCGatewayPath:       "/grpc-api",
 				},
 				OTEL: &OTELConfig{
 					Enabled:            false,

pkg/config/types_http.go

@@ -14,6 +14,8 @@ var defaultHTTPConfig = &HTTPConfig{
 	ReadTimeout:  "10s",
 	WriteTimeout: "10s",
 	IdleTimeout:  "1m",
+
+	CORSEnabled: false,
 }
 
 // HTTPConfig provides HTTP server Configuration
@@ -25,11 +27,18 @@ type HTTPConfig struct {
 	ReadTimeout           string   `yaml:"readTimeout" env:"APP_HTTP_READ_TIMEOUT" json:"readTimeout,omitempty"`    // Go duration (e.g. 10s)
 	WriteTimeout          string   `yaml:"writeTimeout" env:"APP_HTTP_WRITE_TIMEOUT" json:"writeTimeout,omitempty"` // Go duration (e.g. 10s)
 	IdleTimeout           string   `yaml:"idleTimeout" env:"APP_HTTP_IDLE_TIMEOUT" json:"idleTimeout,omitempty"`    // Go duration (e.g. 10s)
-	excludeRegexps        []*regexp.Regexp
-	rT                    *time.Duration
-	wT                    *time.Duration
-	iT                    *time.Duration
-	lock                  sync.RWMutex
+
+	// CORS configuration
+	CORSEnabled            bool     `yaml:"corsEnabled" env:"APP_HTTP_CORS_ENABLED" json:"corsEnabled,omitempty"`
+	CORSAllowedOrigins     []string `yaml:"corsAllowedOrigins" env:"APP_HTTP_CORS_ALLOWED_ORIGINS" json:"corsAllowedOrigins,omitempty"`         // Defaults to ["*"] if empty and CORS enabled
+	CORSAllowCredentials   bool     `yaml:"corsAllowCredentials" env:"APP_HTTP_CORS_ALLOW_CREDENTIALS" json:"corsAllowCredentials,omitempty"`   // Allow credentials (cookies, auth headers)
+	CORSAllowPrivateNetwork bool    `yaml:"corsAllowPrivateNetwork" env:"APP_HTTP_CORS_ALLOW_PRIVATE_NETWORK" json:"corsAllowPrivateNetwork,omitempty"` // Allow requests from private networks
+
+	excludeRegexps []*regexp.Regexp
+	rT             *time.Duration
+	wT             *time.Duration
+	iT             *time.Duration
+	lock           sync.RWMutex
 }
 
 func (h *HTTPConfig) GetExcludeRegexps() []*regexp.Regexp {

pkg/srv/http/http.go

@@ -15,6 +15,7 @@ import (
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/rs/cors"
 	"github.com/rs/zerolog"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"go.opentelemetry.io/otel/metric"
@@ -146,6 +147,29 @@ func prepHTTPServer(opts *opts.AppHTTP) *http.Server {
 		handler = loggingMiddleware(opts.Ctx, handler)
 	}
 
+	// Apply CORS middleware if enabled
+	if cfg.HTTP.CORSEnabled {
+		allowedOrigins := cfg.HTTP.CORSAllowedOrigins
+		if len(allowedOrigins) == 0 {
+			allowedOrigins = []string{"*"}
+		}
+
+		corsHandler := cors.New(cors.Options{
+			AllowedOrigins:      allowedOrigins,
+			AllowedMethods:      []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
+			AllowedHeaders:      []string{"*"},
+			AllowCredentials:    cfg.HTTP.CORSAllowCredentials,
+			AllowPrivateNetwork: cfg.HTTP.CORSAllowPrivateNetwork,
+		})
+		handler = corsHandler.Handler(handler)
+
+		l.Info().
+			Strs("allowedOrigins", allowedOrigins).
+			Bool("allowCredentials", cfg.HTTP.CORSAllowCredentials).
+			Bool("allowPrivateNetwork", cfg.HTTP.CORSAllowPrivateNetwork).
+			Msg("CORS enabled")
+	}
+
 	return &http.Server{
 		Addr:         cfg.HTTP.Listen,
 		ReadTimeout:  readTimeout,