Limit client requests based on origin via Rack-CORS

I have a Rails 4 API that validates an access token during a client request. I have a gors rack and the following setup:

config / application.rb:

config.middleware.insert_before 0, "Rack::Cors" do
  allow do
    origins '*'
    resource '*', :headers => :any, :methods => [:get, :post, :options]
  end
end

      

        
        
        
      

    

I have a model called ApiApp that stores an access token. There is a concern that opening an app to any origin poses a security risk. Is there a way to store the desired Origin, for example "test.com", in the ApiApp and be able to check using the rack-Kors installation that this is a match for every request?

app / controllers / api / v1 / api_controller.rb:

module Api
  module V1
    class ApiController < ApplicationController
      respond_to :json
      before_filter :restrict_access

      private

      def restrict_access
        api_app = ApiApp.find_by_access_token(params[:access_token])
        # need to check that the origin is whitelisted via rack-cors
        head :unauthorized unless api_app
      end
    end
  end
end

      

        
        
        
      

    

I am concerned that the rack-cors configurator is loaded once and cannot access the ApiApp data.

Request example:

https://hello.com/api/v1/products?access_token=7b9f3cddd3914a6f45fa692997fe6dc9

      

        
        
        
      

    

Thanks for any thoughts. I would like to draw your attention to examples showing proofing of origin using a pillar, alternative ways of checking (maybe a title), or any arguments that all are optional.