fix #1598 web_connector: add configuration option for CORS

Author: Fabilin

bot/connector-web/README.md

@@ -129,6 +129,11 @@ response:
 
 A simple [Swagger descriptor](./Swagger_TOCKWebConnector.yaml) of the rest service is provided¬.
 
+### CORS Configuration
+
+By default, the web connector accepts requests from any origin. If a stricter CORS configuration is required, the
+`tock_web_cors_pattern` property can be set to any Regex pattern, against which origin hosts get matched.
+
 ## Additional features
 
 Several features can be optionally used with the Web Connector. Some require specific properties to be set, either
@@ -215,6 +220,11 @@ Additionally, setting the `tock_web_cookie_auth_max_age` property to any positiv
 the cookie's `Max-Age` property to the specified number of seconds. If left to the default or set to a negative value,
 the cookie will not have a `Max-Age` and will expire at the end of the user's browsing session.
 
+The cookie does not have a [Path](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#path_attribute) set by default,
+which potentially allows per-connector user identifiers if the connector paths are sufficiently distinct.
+If sharing the cookie between connectors is the preferred behavior, the `tock_web_cookie_auth_path` property can be used
+to set a fixed `Path` shared by all web connectors.
+
 ### Markdown processing
 
 This connector can process [Markdown formatting](https://daringfireball.net/projects/markdown/) in messages.

bot/connector-web/src/main/kotlin/WebConnector.kt

@@ -26,7 +26,6 @@ import ai.tock.bot.connector.media.MediaAction
 import ai.tock.bot.connector.media.MediaCard
 import ai.tock.bot.connector.media.MediaCarousel
 import ai.tock.bot.connector.media.MediaMessage
-import ai.tock.bot.connector.web.channel.ChannelMongoDAO
 import ai.tock.bot.connector.web.channel.Channels
 import ai.tock.bot.connector.web.send.PostbackButton
 import ai.tock.bot.connector.web.send.UrlButton
@@ -57,6 +56,7 @@ import ai.tock.shared.injector
 import ai.tock.shared.jackson.mapper
 import ai.tock.shared.listProperty
 import ai.tock.shared.longProperty
+import ai.tock.shared.property
 import ai.tock.shared.propertyOrNull
 import ai.tock.shared.provide
 import ai.tock.shared.vertx.vertx
@@ -83,10 +83,12 @@ private const val TOCK_USER_ID = "tock_user_id"
  */
 val webConnectorType = ConnectorType(WEB_CONNECTOR_ID)
 
+private val corsPattern = property("tock_web_cors_pattern", ".*")
 private val sseEnabled = booleanProperty("tock_web_sse", false)
 private val sseKeepaliveDelay = longProperty("tock_web_sse_keepalive_delay", 10)
 private val cookieAuth = booleanProperty("tock_web_cookie_auth", false)
 private val cookieAuthMaxAge = longProperty("tock_web_cookie_auth_max_age", -1)
+private val cookieAuthPath = propertyOrNull("tock_web_cookie_auth_path")
 
 private val webConnectorBridgeEnabled = booleanProperty("tock_web_connector_bridge_enabled", false)
 
@@ -125,7 +127,7 @@ class WebConnector internal constructor(
             router.route(path)
                 .handler(
                     CorsHandler.create()
-                        .addRelativeOrigin(".*") // "*"+credentials is rejected by browsers, so we use the equivalent regex instead
+                        .addRelativeOrigin(corsPattern)
                         .allowedMethod(HttpMethod.POST)
                         .run {
                             if (sseEnabled) allowedMethod(HttpMethod.GET) else this
@@ -217,6 +219,10 @@ class WebConnector internal constructor(
                 cookie.setMaxAge(cookieAuthMaxAge)
             }
 
+            if (cookieAuthPath != null) {
+                cookie.setPath(cookieAuthPath)
+            }
+
             context.response().addCookie(cookie)
 
             cookieValue