12 files changed, 34 insertions, 18 deletions
diff --git a/cmd/ponzu/main.go b/cmd/ponzu/main.go
index 90ad613..2bee2e5 100644
--- a/cmd/ponzu/main.go
+++ b/cmd/ponzu/main.go
@@ -193,7 +193,7 @@ func main() {
 			fmt.Println("Enabling HTTPS...")
 
 			go tls.Enable()
-			fmt.Printf("Server listening on :%s for HTTPS requests...\n", db.ConfigCache("https_port"))
+			fmt.Printf("Server listening on :%s for HTTPS requests...\n", db.ConfigCache("https_port").(string))
 		}
 
 		// save the https port the system is listening on so internal system can make
diff --git a/system/addon/api.go b/system/addon/api.go
index 9b54d6e..cd792aa 100644
--- a/system/addon/api.go
+++ b/system/addon/api.go
@@ -18,8 +18,8 @@ type QueryOptions db.QueryOptions
 
 // ContentAll retrives all items from the HTTP API within the provided namespace
 func ContentAll(namespace string) []byte {
-	host := db.ConfigCache("domain")
-	port := db.ConfigCache("http_port")
+	host := db.ConfigCache("domain").(string)
+	port := db.ConfigCache("http_port").(string)
 	endpoint := "http://%s:%s/api/contents?type=%s&count=-1"
 	URL := fmt.Sprintf(endpoint, host, port, namespace)
 
@@ -35,8 +35,8 @@ func ContentAll(namespace string) []byte {
 // Query retrieves a set of content from the HTTP API  based on options
 // and returns the total number of content in the namespace and the content
 func Query(namespace string, opts QueryOptions) []byte {
-	host := db.ConfigCache("domain")
-	port := db.ConfigCache("http_port")
+	host := db.ConfigCache("domain").(string)
+	port := db.ConfigCache("http_port").(string)
 	endpoint := "http://%s:%s/api/contents?type=%s&count=%d&offset=%d&order=%s"
 	URL := fmt.Sprintf(endpoint, host, port, namespace, opts.Count, opts.Offset, opts.Order)
 
diff --git a/system/admin/config/config.go b/system/admin/config/config.go
index 7b57dc0..c83eb32 100644
--- a/system/admin/config/config.go
+++ b/system/admin/config/config.go
@@ -16,6 +16,7 @@ type Config struct {
 	AdminEmail      string   `json:"admin_email"`
 	ClientSecret    string   `json:"client_secret"`
 	Etag            string   `json:"etag"`
+	DisableCORS     []string `json:"cors_disabled"`
 	CacheInvalidate []string `json:"cache"`
 }
 
@@ -49,7 +50,7 @@ func (c *Config) MarshalEditor() ([]byte, error) {
 		},
 		editor.Field{
 			View: editor.Input("AdminEmail", c, map[string]string{
-				"label": "Adminstrator Email (will be notified of internal system information)",
+				"label": "Adminstrator Email (notified of internal system information)",
 			}),
 		},
 		editor.Field{
@@ -65,7 +66,7 @@ func (c *Config) MarshalEditor() ([]byte, error) {
 		},
 		editor.Field{
 			View: editor.Input("Etag", c, map[string]string{
-				"label":    "Etag Header (used for static asset cache)",
+				"label":    "Etag Header (used to cache resources)",
 				"disabled": "true",
 			}),
 		},
@@ -75,6 +76,13 @@ func (c *Config) MarshalEditor() ([]byte, error) {
 			}),
 		},
 		editor.Field{
+			View: editor.Checkbox("DisableCORS", c, map[string]string{
+				"label": "Disable CORS (so only " + c.Domain + " can fetch your data)",
+			}, map[string]string{
+				"true": "Disable",
+			}),
+		},
+		editor.Field{
 			View: editor.Checkbox("CacheInvalidate", c, map[string]string{
 				"label": "Invalidate cache on save",
 			}, map[string]string{
diff --git a/system/admin/handlers.go b/system/admin/handlers.go
index c39fee4..59e7a66 100644
--- a/system/admin/handlers.go
+++ b/system/admin/handlers.go
@@ -92,7 +92,7 @@ func initHandler(res http.ResponseWriter, req *http.Request) {
 		}
 
 		// set HTTP port which should be previously added to config cache
-		port := db.ConfigCache("http_port")
+		port := db.ConfigCache("http_port").(string)
 		req.Form.Set("http_port", port)
 
 		// set initial user email as admin_email and make config
diff --git a/system/admin/server.go b/system/admin/server.go
index f2bf244..991f2d2 100644
--- a/system/admin/server.go
+++ b/system/admin/server.go
@@ -51,5 +51,7 @@ func Run() {
 	// even if the API server is not running. Otherwise, images/files uploaded
 	// through the editor will not load within the admin system.
 	uploadsDir := filepath.Join(pwd, "uploads")
-	http.Handle("/api/uploads/", api.Record(db.CacheControl(http.StripPrefix("/api/uploads/", http.FileServer(restrict(http.Dir(uploadsDir)))))))
+	http.Handle("/api/uploads/", api.Record(api.CORS(db.CacheControl(
+		http.StripPrefix("/api/uploads/", http.FileServer(
+			restrict(http.Dir(uploadsDir))))))))
 }
diff --git a/system/api/handlers.go b/system/api/handlers.go
index 1bc4fbb..0be98a4 100644
--- a/system/api/handlers.go
+++ b/system/api/handlers.go
@@ -254,6 +254,12 @@ func sendPreflight(res http.ResponseWriter) {
 
 // CORS wraps a HandleFunc to respond to OPTIONS requests properly
 func CORS(next http.HandlerFunc) http.HandlerFunc {
+	if db.ConfigCache("cors_disabled").([]string)[0] == "true" {
+		return http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {
+			res.WriteHeader(http.StatusForbidden)
+		})
+	}
+
 	return db.CacheControl(http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {
 		if req.Method == http.MethodOptions {
 			sendPreflight(res)
diff --git a/system/api/server.go b/system/api/server.go
index f31a748..4b8b22e 100644
--- a/system/api/server.go
+++ b/system/api/server.go
@@ -4,11 +4,11 @@ import "net/http"
 
 // Run adds Handlers to default http listener for API
 func Run() {
-	http.HandleFunc("/api/types", CORS(Record(typesHandler)))
+	http.HandleFunc("/api/types", Record(CORS(typesHandler)))
 
-	http.HandleFunc("/api/contents", CORS(Record(contentsHandler)))
+	http.HandleFunc("/api/contents", Record(CORS(contentsHandler)))
 
-	http.HandleFunc("/api/content", CORS(Record(contentHandler)))
+	http.HandleFunc("/api/content", Record(CORS(contentHandler)))
 
-	http.HandleFunc("/api/content/external", CORS(Record(externalContentHandler)))
+	http.HandleFunc("/api/content/external", Record(CORS(externalContentHandler)))
 }
diff --git a/system/db/cache.go b/system/db/cache.go
index 30ecf5a..0120147 100644
--- a/system/db/cache.go
+++ b/system/db/cache.go
@@ -11,7 +11,7 @@ import (
 // CacheControl sets the default cache policy on static asset responses
 func CacheControl(next http.Handler) http.HandlerFunc {
 	return http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {
-		etag := ConfigCache("etag")
+		etag := ConfigCache("etag").(string)
 		policy := fmt.Sprintf("max-age=%d, public", 60*60*24*30)
 		res.Header().Add("ETag", etag)
 		res.Header().Add("Cache-Control", policy)
diff --git a/system/db/config.go b/system/db/config.go
index 45b3952..f1d1215 100644
--- a/system/db/config.go
+++ b/system/db/config.go
@@ -166,6 +166,6 @@ func PutConfig(key string, value interface{}) error {
 
 // ConfigCache is a in-memory cache of the Configs for quicker lookups
 // 'key' is the JSON tag associated with the config field
-func ConfigCache(key string) string {
+func ConfigCache(key string) interface{} {
 	return configCache.Get(key)
 }
diff --git a/system/db/init.go b/system/db/init.go
index eaf6d76..98ba056 100644
--- a/system/db/init.go
+++ b/system/db/init.go
@@ -71,7 +71,7 @@ func Init() {
 			}
 		}
 
-		clientSecret := ConfigCache("client_secret")
+		clientSecret := ConfigCache("client_secret").(string)
 
 		if clientSecret != "" {
 			jwt.Secret([]byte(clientSecret))
diff --git a/system/tls/devcerts.go b/system/tls/devcerts.go
index f4dc18f..0554aa4 100644
--- a/system/tls/devcerts.go
+++ b/system/tls/devcerts.go
@@ -89,7 +89,7 @@ func setupDev() {
 	}
 
 	hosts := []string{"localhost", "0.0.0.0"}
-	domain := db.ConfigCache("domain")
+	domain := db.ConfigCache("domain").(string)
 	if domain != "" {
 		hosts = append(hosts, domain)
 	}
diff --git a/system/tls/enable.go b/system/tls/enable.go
index f9c16d8..4279b55 100644
--- a/system/tls/enable.go
+++ b/system/tls/enable.go
@@ -70,7 +70,7 @@ func Enable() {
 	setup()
 
 	server := &http.Server{
-		Addr:      fmt.Sprintf(":%s", db.ConfigCache("https_port")),
+		Addr:      fmt.Sprintf(":%s", db.ConfigCache("https_port").(string)),
 		TLSConfig: &tls.Config{GetCertificate: m.GetCertificate},
 	}