satellite-provider/SatelliteProvider.Api/CorsConfigurationValidator.cs

namespace SatelliteProvider.Api;

public static class CorsConfigurationValidator
{
    public const string MissingOriginsMessage =
        "CORS is misconfigured: CorsConfig:AllowedOrigins is empty and CorsConfig:AllowAnyOrigin is not true. " +
        "Refusing to start in Production with a permissive CORS policy. " +
        "Set CorsConfig:AllowedOrigins to a non-empty array, or set CorsConfig:AllowAnyOrigin=true to opt in.";

    public const string PermissiveDefaultWarning =
        "CorsConfig:AllowedOrigins is empty and CorsConfig:AllowAnyOrigin is not true. " +
        "Permissive CORS is being applied for environment {Environment}; do not run with this configuration in Production.";

    public static void EnsureSafeForEnvironment(
        string[] allowedOrigins,
        bool allowAnyOrigin,
        string environmentName)
    {
        ArgumentNullException.ThrowIfNull(allowedOrigins);
        ArgumentNullException.ThrowIfNull(environmentName);

        if (allowedOrigins.Length == 0
            && !allowAnyOrigin
            && string.Equals(environmentName, "Production", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException(MissingOriginsMessage);
        }
    }

    public static bool ShouldUsePermissivePolicy(string[] allowedOrigins, bool allowAnyOrigin)
    {
        ArgumentNullException.ThrowIfNull(allowedOrigins);
        return allowAnyOrigin || allowedOrigins.Length == 0;
    }

    public static bool ShouldWarnAboutPermissiveDefault(string[] allowedOrigins, bool allowAnyOrigin)
    {
        ArgumentNullException.ThrowIfNull(allowedOrigins);
        return allowedOrigins.Length == 0 && !allowAnyOrigin;
    }
}