Adding embedding functionality

1 month ago · 46838a2b79
parent 9bc624d550
commit 46838a2b79
19 changed files with 503 additions and 4 deletions
--- a/app/controllers/account_configs_controller.rb
+++ b/app/controllers/account_configs_controller.rb
@ -25,7 +25,8 @@ class AccountConfigsController < ApplicationController
    AccountConfig::COMBINE_PDF_RESULT_KEY,
    AccountConfig::REQUIRE_SIGNING_REASON_KEY,
    AccountConfig::DOCUMENT_FILENAME_FORMAT_KEY,
-    AccountConfig::ENABLE_MCP_KEY
+    AccountConfig::ENABLE_MCP_KEY,
+    AccountConfig::EMBED_ALLOWED_ORIGINS_KEY
  ].freeze

  InvalidKey = Class.new(StandardError)
@ -60,6 +61,22 @@ class AccountConfigsController < ApplicationController
  def account_config_params
    params.required(:account_config).permit(:key, :value, { value: {} }, { value: [] }).tap do |attrs|
      attrs[:value] = attrs[:value] == '1' if attrs[:value].in?(%w[1 0])
+      attrs[:value] = normalize_origins(attrs[:value]) if attrs[:key] == AccountConfig::EMBED_ALLOWED_ORIGINS_KEY
    end
  end
+
+  def normalize_origins(value)
+    value.to_s.split(/[\s,]+/).filter_map do |origin|
+      uri = Addressable::URI.parse(origin.strip)
+
+      next unless uri.scheme.in?(%w[http https]) && uri.host.present?
+
+      uri.path = nil
+      uri.query = nil
+      uri.fragment = nil
+      uri.to_s.delete_suffix('/')
+    rescue Addressable::URI::InvalidURIError
+      nil
+    end.uniq
+  end
 end
--- a/app/controllers/api/api_base_controller.rb
+++ b/app/controllers/api/api_base_controller.rb
@ -2,6 +2,7 @@

 module Api
  class ApiBaseController < ActionController::API
+    include EmbedCors
    include ActiveStorage::SetCurrent
    include Pagy::Method

@ -13,6 +14,7 @@ module Api
    wrap_parameters false

    before_action :authenticate_user!
+    before_action :set_embed_cors_headers
    check_authorization

    rescue_from Params::BaseValidator::InvalidParameterError do |e|
--- a/app/controllers/api/attachments_controller.rb
+++ b/app/controllers/api/attachments_controller.rb
@ -2,6 +2,7 @@

 module Api
  class AttachmentsController < ActionController::API
+    include EmbedCors
    include ActionController::Cookies
    include ActiveStorage::SetCurrent

@ -9,6 +10,9 @@ module Api

    def create
      submitter = Submitter.find_by!(slug: params[:submitter_slug])
+      @embed_cors_account = submitter.account
+
+      set_embed_cors_headers

      unless can_upload?(submitter)
        Rollbar.error("Can't upload: #{submitter.id}") if defined?(Rollbar)
--- a/app/controllers/api/submitter_email_clicks_controller.rb
+++ b/app/controllers/api/submitter_email_clicks_controller.rb
@ -7,6 +7,9 @@ module Api

    def create
      @submitter = Submitter.find_by!(slug: params[:submitter_slug])
+      @embed_cors_account = @submitter.account
+
+      set_embed_cors_headers

      if params[:t] == SubmissionEvents.build_tracking_param(@submitter, 'click_email')
        SubmissionEvents.create_with_tracking_data(@submitter, 'click_email', request)
--- a/app/controllers/api/submitter_form_views_controller.rb
+++ b/app/controllers/api/submitter_form_views_controller.rb
@ -7,6 +7,9 @@ module Api

    def create
      @submitter = Submitter.find_by!(slug: params[:submitter_slug])
+      @embed_cors_account = @submitter.account
+
+      set_embed_cors_headers

      @submitter.opened_at = Time.current
      @submitter.save
--- a/app/controllers/concerns/embed_cors.rb
+++ b/app/controllers/concerns/embed_cors.rb
@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module EmbedCors
+  extend ActiveSupport::Concern
+
+  private
+
+  def set_embed_cors_headers
+    allowed_origin = embed_cors_allowed_origin
+
+    headers.delete('Access-Control-Allow-Origin')
+
+    return if allowed_origin.blank?
+
+    headers['Access-Control-Allow-Origin'] = allowed_origin
+    headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, PATCH, DELETE, OPTIONS'
+    headers['Access-Control-Allow-Headers'] = '*'
+    headers['Access-Control-Max-Age'] = '1728000'
+    headers['Vary'] = [headers['Vary'], 'Origin'].compact_blank.join(', ') unless allowed_origin == '*'
+  end
+
+  def embed_cors_allowed_origin
+    origin = normalized_embed_origin(request.headers['Origin'])
+
+    return '*' if origin.blank?
+
+    account_origins = configured_embed_origins_for_account(embed_cors_account)
+
+    return origin if account_origins.include?(origin)
+    return if account_origins.present?
+
+    configured_origins = configured_embed_origins
+
+    return origin if configured_origins.include?(origin)
+    return if configured_origins.present?
+
+    '*'
+  end
+
+  def configured_embed_origins_for_account(account)
+    normalize_embed_origins(
+      account&.account_configs&.find_by(key: AccountConfig::EMBED_ALLOWED_ORIGINS_KEY)&.value
+    )
+  end
+
+  def configured_embed_origins
+    normalize_embed_origins(
+      AccountConfig.where(key: AccountConfig::EMBED_ALLOWED_ORIGINS_KEY).map(&:value).flatten
+    )
+  end
+
+  def normalize_embed_origins(value)
+    Array.wrap(value).filter_map { |origin| normalized_embed_origin(origin) }.uniq
+  end
+
+  def normalized_embed_origin(origin)
+    return if origin.blank?
+
+    uri = Addressable::URI.parse(origin.to_s.strip)
+
+    return unless uri.scheme.in?(%w[http https]) && uri.host.present?
+
+    uri.path = nil
+    uri.query = nil
+    uri.fragment = nil
+    uri.to_s.delete_suffix('/')
+  rescue Addressable::URI::InvalidURIError
+    nil
+  end
+
+  def embed_cors_account
+    return @embed_cors_account if defined?(@embed_cors_account)
+
+    current_account if respond_to?(:current_account, true)
+  end
+end
--- a/app/controllers/cors_preflight_controller.rb
+++ b/app/controllers/cors_preflight_controller.rb
@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class CorsPreflightController < ActionController::API
+  include EmbedCors
+
+  before_action :set_embed_cors_headers
+
+  def show
+    head :ok
+  end
+end
--- a/app/controllers/embed/forms_controller.rb
+++ b/app/controllers/embed/forms_controller.rb
@ -0,0 +1,267 @@
+# frozen_string_literal: true
+
+module Embed
+  class FormsController < ActionController::API
+    include ActionController::Cookies
+    include ActiveStorage::SetCurrent
+    include EmbedCors
+
+    before_action :set_embed_cors_headers, only: :preflight
+
+    def create
+      slug = token_payload['slug'] || params[:slug].presence || params[:template_slug].presence
+
+      raise ActiveRecord::RecordNotFound if slug.blank?
+
+      submitter = Submitter.find_by(slug: slug)
+
+      payload =
+        if submitter
+          @embed_cors_account = submitter.account
+
+          form_json(submitter)
+        else
+          template = Template.find_by!(slug: slug)
+          @embed_cors_account = template.account
+
+          form_json_for_template(template)
+        end
+
+      set_embed_cors_headers
+
+      render json: payload, status: payload[:error].present? ? :unprocessable_content : :ok
+    end
+
+    def preflight
+      head :ok
+    end
+
+    private
+
+    def form_json_for_template(template)
+      raise ActiveRecord::RecordNotFound if template.archived_at? || template.account.archived_at?
+      raise ActiveRecord::RecordNotFound unless template.shared_link?
+
+      attrs = submitter_params
+
+      return { template: template_json(template), logo: logo_json(template.account) } if attrs.compact_blank.blank?
+
+      submitter = find_or_initialize_submitter(template, attrs)
+
+      if selected_template_submitter(template).blank? && filter_undefined_submitters(template).size > 1 && submitter.new_record?
+        return { error: I18n.t('this_template_has_multiple_parties_which_prevents_the_use_of_a_sharing_link') }
+      end
+
+      if submitter.new_record?
+        assign_submission_attributes(submitter, template)
+        Submissions::AssignDefinedSubmitters.call(submitter.submission)
+      else
+        submitter.assign_attributes(ip: request.remote_ip, ua: request.user_agent)
+      end
+
+      submitter.values = values_param.presence || submitter.values
+      submitter.metadata = metadata_param.presence || submitter.metadata
+      submitter.external_id = params[:external_id].presence || submitter.external_id
+
+      if template.preferences['shared_link_2fa'] == true &&
+         !Submitters::AuthorizedForForm.pass_link_2fa?(submitter, nil, request)
+        Submitters.send_shared_link_email_verification_code(submitter, request: request)
+
+        return { template: template_json(template), unverified_email: submitter.email, logo: logo_json(template.account) }
+      end
+
+      if submitter.errors.blank? && submitter.save
+        enqueue_new_submitter_jobs(submitter) if submitter.previous_changes.key?('id')
+
+        form_json(submitter)
+      else
+        { error: submitter.errors.full_messages.to_sentence }
+      end
+    end
+
+    def form_json(submitter)
+      raise ActiveRecord::RecordNotFound if submitter.account.archived_at?
+
+      return { expired_submitter: submitter_json(submitter), submission: submission_json(submitter.submission, submitter),
+               template: template_json(submitter.template), logo: logo_json(submitter.account) } if submitter.submission.expired?
+
+      return { completed_submitter: submitter_json(submitter), submission: submission_json(submitter.submission, submitter),
+               template: template_json(submitter.template), logo: logo_json(submitter.account) } if submitter.completed_at?
+
+      return { expired_submitter: submitter_json(submitter), submission: submission_json(submitter.submission, submitter),
+               template: template_json(submitter.template), logo: logo_json(submitter.account) } if submitter.declined_at?
+
+      unless Submitters::AuthorizedForForm.pass_email_2fa?(submitter, request)
+        return { submitter_email_2fa: submitter_json(submitter),
+                 submission: submission_json(submitter.submission, submitter),
+                 template: template_json(submitter.template), logo: logo_json(submitter.account) }
+      end
+
+      unless Submitters::AuthorizedForForm.pass_link_2fa?(submitter, nil, request)
+        return { unverified_email: submitter.email, submission: submission_json(submitter.submission, submitter),
+                 template: template_json(submitter.template), logo: logo_json(submitter.account) }
+      end
+
+      submission = submitter.submission
+
+      Submissions.preload_with_pages(submission)
+      Submitters::MaybeUpdateDefaultValues.call(submitter, nil)
+
+      {
+        template: template_json(submitter.template),
+        submission: submission_json(submission, submitter),
+        submitter: submitter_json(submitter),
+        documents: documents_json(submission),
+        attachments: attachments_json(submission),
+        values: values_param.presence || {},
+        logo: logo_json(submitter.account)
+      }
+    end
+
+    def template_json(template)
+      template.as_json(only: %i[id name slug preferences schema submitters archived_at account_id])
+    end
+
+    def submission_json(submission, submitter = nil)
+      submission.as_json(
+        only: %i[id slug name source submitters_order expire_at archived_at created_at updated_at template_id account_id],
+        methods: %i[expired?],
+      ).merge(
+        'template_schema' => Submissions.filtered_conditions_schema(submission,
+                                                                    include_submitter_uuid: submitter&.uuid),
+        'template_fields' => submission.template_fields || submission.template.fields,
+        'template_submitters' => submission.template_submitters || submission.template.submitters,
+        'submitters' => submission.submitters.as_json(
+          only: %i[id uuid slug name email phone completed_at declined_at opened_at sent_at]
+        )
+      )
+    end
+
+    def submitter_json(submitter)
+      submitter.as_json(
+        only: %i[id uuid slug name email phone values metadata preferences completed_at declined_at opened_at sent_at]
+      )
+    end
+
+    def documents_json(submission)
+      submission.schema_documents.as_json(
+        methods: %i[metadata signed_key],
+        include: { preview_images: { methods: %i[url metadata filename] } }
+      )
+    end
+
+    def attachments_json(submission)
+      ActiveStorage::Attachment.where(record: submission.submitters, name: :attachments)
+                               .preload(:blob)
+                               .as_json(only: %i[uuid created_at], methods: %i[url filename content_type])
+    end
+
+    def logo_json(account)
+      return unless account.logo.attached?
+
+      { url: account.logo.url }
+    end
+
+    def find_or_initialize_submitter(template, attrs)
+      required_fields = template.preferences.fetch('link_form_fields', ['email'])
+      required_params = required_fields.index_with { |key| attrs[key] }
+      find_params = required_params.except('name')
+
+      submitter = Submitter.new if find_params.compact_blank.blank?
+
+      relation =
+        Submitter
+        .where(submission: template.submissions.where(expire_at: Time.current..)
+                                   .or(template.submissions.where(expire_at: nil)).where(archived_at: nil))
+        .order(id: :desc)
+        .where(declined_at: nil)
+        .where(external_id: nil)
+        .where(template.preferences['shared_link_2fa'] == true ? {} : { ip: [nil, request.remote_ip] })
+
+      if (template_submitter = selected_template_submitter(template))
+        relation = relation.where(uuid: template_submitter['uuid'])
+      end
+
+      submitter ||= relation
+        .find_or_initialize_by(find_params)
+
+      submitter.name = required_params['name'] if submitter.new_record?
+
+      required_params.each do |key, value|
+        submitter.errors.add(key.to_sym, :blank) if value.blank?
+      end
+
+      submitter
+    end
+
+    def assign_submission_attributes(submitter, template)
+      submitter.assign_attributes(
+        uuid: (selected_template_submitter(template) || filter_undefined_submitters(template).first ||
+               template.submitters.first)['uuid'],
+        ip: request.remote_ip,
+        ua: request.user_agent,
+        values: {},
+        preferences: { 'send_email' => params[:send_email] },
+        metadata: {}
+      )
+
+      submitter.submission ||= Submission.new(template: template,
+                                              account_id: template.account_id,
+                                              template_submitters: template.submitters,
+                                              template_fields: template.fields,
+                                              template_schema: template.schema,
+                                              expire_at: Templates.build_default_expire_at(template),
+                                              submitters: [submitter],
+                                              source: :embed)
+
+      Submissions::CreateFromSubmitters.maybe_set_dynamic_documents(submitter.submission)
+
+      submitter.account_id = submitter.submission.account_id
+    end
+
+    def enqueue_new_submitter_jobs(submitter)
+      WebhookUrls.enqueue_events(submitter.submission, 'submission.created')
+      SearchEntries.enqueue_reindex(submitter)
+
+      return unless submitter.submission.expire_at?
+
+      ProcessSubmissionExpiredJob.perform_at(submitter.submission.expire_at, 'submission_id' => submitter.submission_id)
+    end
+
+    def filter_undefined_submitters(template)
+      Templates.filter_undefined_submitters(template.submitters)
+    end
+
+    def selected_template_submitter(template)
+      submitter_name = params[:submitter].presence || params[:role].presence
+
+      return if submitter_name.blank?
+
+      template.submitters.find { |item| item['uuid'] == submitter_name || item['name'] == submitter_name }
+    end
+
+    def submitter_params
+      {
+        'email' => Submissions.normalize_email(params[:email].presence),
+        'name' => params[:name].presence,
+        'phone' => params[:phone].presence
+      }.compact
+    end
+
+    def values_param
+      params[:values].respond_to?(:to_unsafe_h) ? params[:values].to_unsafe_h : params[:values]
+    end
+
+    def metadata_param
+      params[:metadata].respond_to?(:to_unsafe_h) ? params[:metadata].to_unsafe_h : params[:metadata]
+    end
+
+    def token_payload
+      return {} if params[:token].blank?
+
+      JSON.parse(Base64.urlsafe_decode64(params[:token].split('.')[1])).with_indifferent_access
+    rescue JSON::ParserError, ArgumentError
+      {}
+    end
+  end
+end
--- a/app/controllers/send_submission_email_controller.rb
+++ b/app/controllers/send_submission_email_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class SendSubmissionEmailController < ApplicationController
+  include EmbedCors
+
  layout 'form'

  skip_before_action :authenticate_user!
@ -27,6 +29,9 @@ class SendSubmissionEmailController < ApplicationController
      @submitter = Submitter.completed.find_by!(slug: params[:submitter_slug])
    end

+    @embed_cors_account = @submitter.account
+    set_embed_cors_headers
+
    RateLimit.call("send-email-#{@submitter.id}", limit: 2, ttl: 5.minutes)

    SubmitterMailer.documents_copy_email(@submitter, sig: true).deliver_later! if can_send?(@submitter)
--- a/app/controllers/submit_form_completed_download_controller.rb
+++ b/app/controllers/submit_form_completed_download_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class SubmitFormCompletedDownloadController < ApplicationController
+  include EmbedCors
+
  skip_before_action :authenticate_user!
  skip_authorization_check

@ -18,6 +20,9 @@ class SubmitFormCompletedDownloadController < ApplicationController
      end

    @submitter ||= Submitter.find_by!(slug: submitter_slug)
+    @embed_cors_account = @submitter.account
+
+    set_embed_cors_headers

    Submissions::EnsureResultGenerated.call(@submitter)

--- a/app/controllers/submit_form_controller.rb
+++ b/app/controllers/submit_form_controller.rb
@ -1,13 +1,17 @@
 # frozen_string_literal: true

 class SubmitFormController < ApplicationController
+  include EmbedCors
+
  layout 'form'

  around_action :with_browser_locale, only: %i[show completed success delegated]
  skip_before_action :authenticate_user!
+  skip_before_action :verify_authenticity_token, only: :update
  skip_authorization_check

  before_action :load_submitter, only: %i[show update completed]
+  before_action :set_embed_cors_headers, only: :update
  before_action :maybe_redirect_delegated, only: %i[show completed]
  before_action :maybe_render_locked_page, only: :show
  before_action :maybe_require_link_2fa, only: %i[show]
@ -135,4 +139,8 @@ class SubmitFormController < ApplicationController
    ActiveStorage::Attachment.where(record: submission.submitters, name: :attachments)
                             .preload(:blob).index_by(&:uuid)
  end
+
+  def embed_cors_account
+    @submitter&.account || super
+  end
 end
--- a/app/controllers/submit_form_download_controller.rb
+++ b/app/controllers/submit_form_download_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class SubmitFormDownloadController < ApplicationController
+  include EmbedCors
+
  skip_before_action :authenticate_user!
  skip_authorization_check

@ -8,6 +10,9 @@ class SubmitFormDownloadController < ApplicationController

  def index
    @submitter = Submitter.find_by!(slug: params[:submit_form_slug])
+    @embed_cors_account = @submitter.account
+
+    set_embed_cors_headers

    return redirect_to submit_form_documents_path(@submitter.slug) if @submitter.completed_at?

--- a/app/controllers/submit_form_metadata_controller.rb
+++ b/app/controllers/submit_form_metadata_controller.rb
@ -1,11 +1,16 @@
 # frozen_string_literal: true

 class SubmitFormMetadataController < ApplicationController
+  include EmbedCors
+
  skip_before_action :authenticate_user!
  skip_authorization_check

  def index
    submitter = Submitter.find_by!(slug: params[:submit_form_slug])
+    @embed_cors_account = submitter.account
+
+    set_embed_cors_headers

    return head :not_found if submitter.declined_at? ||
                              submitter.completed_at? ||
@ -17,7 +22,7 @@ class SubmitFormMetadataController < ApplicationController

    submission = submitter.submission
    values = submission.submitters.reduce({}) { |acc, sub| acc.merge(sub.values) }
-    schema = Submissions.filtered_conditions_schema(submission, values:, include_submitter_uuid: submitter.uuid)
+    schema = Submissions.filtered_conditions_schema(submission, values: values, include_submitter_uuid: submitter.uuid)

    documents = schema.filter_map do |item|
      submission.schema_documents.find { |a| a.uuid == item['attachment_uuid'] }
@ -32,6 +37,6 @@ class SubmitFormMetadataController < ApplicationController
      ]
    end

-    render json: { text_runs: }
+    render json: { text_runs: text_runs }
  end
 end
--- a/app/controllers/submit_form_values_controller.rb
+++ b/app/controllers/submit_form_values_controller.rb
@ -1,11 +1,16 @@
 # frozen_string_literal: true

 class SubmitFormValuesController < ApplicationController
+  include EmbedCors
+
  skip_before_action :authenticate_user!
  skip_authorization_check

  def index
    submitter = Submitter.find_by!(slug: params[:submit_form_slug])
+    @embed_cors_account = submitter.account
+
+    set_embed_cors_headers

    return render json: {} if submitter.completed_at? ||
                              submitter.declined_at? ||
@ -18,7 +23,7 @@ class SubmitFormValuesController < ApplicationController
    attachment = submitter.attachments.where(created_at: params[:after]..).find_by(uuid: value) if value.present?

    render json: {
-      value:,
+      value: value,
      attachment: attachment&.as_json(only: %i[uuid created_at], methods: %i[url filename content_type])
    }, head: :ok
  end
--- a/app/models/account_config.rb
+++ b/app/models/account_config.rb
@ -59,6 +59,7 @@ class AccountConfig < ApplicationRecord
  TEMPLATE_CUSTOM_FIELDS_KEY = 'template_custom_fields'
  POLICY_LINKS_KEY = 'policy_links'
  ENABLE_MCP_KEY = 'enable_mcp'
+  EMBED_ALLOWED_ORIGINS_KEY = 'embed_allowed_origins'

  EMAIL_VARIABLES = {
    SUBMITTER_INVITATION_EMAIL_KEY => %w[template.name submitter.link account.name].freeze,
--- a/app/views/accounts/show.html.erb
+++ b/app/views/accounts/show.html.erb
@ -228,6 +228,27 @@
            </div>
          <% end %>
        <% end %>
+        <% account_config = AccountConfig.find_or_initialize_by(account: current_account, key: AccountConfig::EMBED_ALLOWED_ORIGINS_KEY) %>
+        <% if can?(:manage, account_config) %>
+          <%= form_for account_config, url: account_configs_path, method: :post, html: { class: 'py-2.5' } do |f| %>
+            <%= f.hidden_field :key %>
+            <div class="space-y-2">
+              <div class="flex items-center space-x-1">
+                <span class="text-left"><%= t('allowed_embedding_origins') %></span>
+                <span class="tooltip tooltip-top flex cursor-pointer" data-tip="<%= t('allowed_embedding_origins_description') %>">
+                  <%= svg_icon('info_circle', class: 'hidden md:inline-block w-4 h-4 shrink-0') %>
+                </span>
+              </div>
+              <%= text_area_tag 'account_config[value]', Array(account_config.value).join("\n"), class: 'base-input min-h-28', placeholder: "https://app.example.com\nhttp://localhost:5173", dir: 'ltr' %>
+              <div class="flex items-center justify-between gap-3">
+                <p class="text-sm text-gray-500">
+                  <%= t('leave_blank_to_allow_embedding_from_any_origin') %>
+                </p>
+                <%= f.button button_title(title: t('save'), disabled_with: t('saving')), class: 'btn btn-sm btn-neutral text-white px-4' %>
+              </div>
+            </div>
+          <% end %>
+        <% end %>
        <% account_config = AccountConfig.find_or_initialize_by(account: current_account, key: AccountConfig::COMBINE_PDF_RESULT_KEY) %>
        <% if can?(:manage, account_config) %>
          <%= form_for account_config, url: account_configs_path, method: :post do |f| %>
--- a/config/locales/i18n.yml
+++ b/config/locales/i18n.yml
@ -46,6 +46,7 @@ en: &en
  click_here_to_send_a_reset_password_email_html: '<label class="link" for="resend_password_button">Click here</label> to send a reset password email.'
  edit_order: Edit Order
  expirable_file_download_links: Expirable file download links
+  allowed_embedding_origins: Allowed embedding origins
  sender_form_fields: Sender form fields
  default_parties: Default parties
  authenticate_embedded_form_preview_with_token: Authenticate embedded form preview with token
@ -209,6 +210,7 @@ en: &en
  allow_to_delegate_documents: Allow to delegate documents
  remember_and_pre_fill_signatures: Remember and pre-fill signatures
  require_authentication_for_file_download_links: Require authentication for file download links
+  leave_blank_to_allow_embedding_from_any_origin: Leave blank to allow embedding from any origin.
  combine_completed_documents_and_audit_log: Combine completed documents and Audit Log
  salesforce_integration: Salesforce Integration
  salesforce_has_been_connected: Salesforce has been connected.
@ -855,6 +857,7 @@ en: &en
  save_a_users_signature_and_automatically_pre_fill_it_in_future_signing_sessions: "Save a user's signature and automatically pre-fill it in future signing sessions."
  make_document_download_links_expire_after_40_minutes_to_prevent_long_term_access_and_enhance_security: Make document download links expire after 40 minutes to prevent long-term access and enhance security.
  require_authentication_with_user_login_or_api_key_to_access_the_document_download_links: Require authentication with user login or API key to access the document download links.
+  allowed_embedding_origins_description: Enter allowed frontend origins for embedded signing, one per line or separated by commas. Include protocol and port, for example https://app.example.com or http://localhost:5173.
  combine_signed_documents_and_the_audit_log_into_a_single_pdf_file_for_easier_recordkeeping_and_compliance: Combine signed documents and the Audit Log into a single PDF file for easier recordkeeping and compliance.
  require_a_jwt_authorization_to_preview_embedded_forms_ensuring_only_authorized_users_can_view_them: Require a JWT authorization to preview embedded forms, ensuring only authorized users can view them.
  make_all_newly_created_templates_private_to_their_creator_by_default: Make all newly created templates private to their creator by default.
--- a/config/routes.rb
+++ b/config/routes.rb
@ -214,6 +214,14 @@ Rails.application.routes.draw do

  match '/mcp', to: 'mcp#call', via: %i[get post]

+  post '/embed/forms', to: 'embed/forms#create'
+  match '/embed/forms', to: 'embed/forms#preflight', via: :options
+  match '/s/:slug', to: 'cors_preflight#show', via: :options
+  match '/s/:slug/*path', to: 'cors_preflight#show', via: :options
+  match '/submitters/:submitter_id/download', to: 'cors_preflight#show', via: :options
+  match '/send_submission_email', to: 'cors_preflight#show', via: :options
+  match '/api/*path', to: 'cors_preflight#show', via: :options
+
  get '/js/:filename', to: 'embed_scripts#show', as: :embed_script

  ActiveSupport.run_load_hooks(:routes, self)
--- a/spec/requests/embed_forms_spec.rb
+++ b/spec/requests/embed_forms_spec.rb
@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+describe 'Embed forms' do
+  let(:account) { create(:account) }
+  let(:author) { create(:user, account: account) }
+  let(:template) { create(:template, account: account, author: author, shared_link: true) }
+
+  describe 'POST /embed/forms' do
+    it 'returns a shared template payload before the signer starts' do
+      post '/embed/forms', params: { slug: template.slug }.to_json, headers: { 'CONTENT_TYPE' => 'application/json' }
+
+      expect(response).to have_http_status(:ok)
+      expect(response.parsed_body.dig('template', 'id')).to eq(template.id)
+      expect(response.parsed_body['submitter']).to be_nil
+      expect(response.headers['Access-Control-Allow-Origin']).to eq('*')
+    end
+
+    it 'creates an embedded submitter and returns signing data' do
+      post '/embed/forms',
+           params: { slug: template.slug, email: 'signer@example.com', name: 'Jane Signer' }.to_json,
+           headers: { 'CONTENT_TYPE' => 'application/json' }
+
+      expect(response).to have_http_status(:ok)
+      expect(response.parsed_body.dig('submitter', 'email')).to eq('signer@example.com')
+      expect(response.parsed_body.dig('submission', 'source')).to eq('embed')
+      expect(response.parsed_body.dig('submission', 'template_fields')).to be_present
+      expect(response.parsed_body['documents']).to be_present
+    end
+
+    it 'loads an existing submitter by slug' do
+      submitter = create(:submission, :with_submitters, template: template).submitters.first
+
+      post '/embed/forms', params: { slug: submitter.slug }.to_json, headers: { 'CONTENT_TYPE' => 'application/json' }
+
+      expect(response).to have_http_status(:ok)
+      expect(response.parsed_body.dig('submitter', 'slug')).to eq(submitter.slug)
+    end
+  end
+
+  describe 'OPTIONS /embed/forms' do
+    it 'returns CORS preflight headers' do
+      process :options, '/embed/forms'
+
+      expect(response).to have_http_status(:ok)
+      expect(response.headers['Access-Control-Allow-Origin']).to eq('*')
+      expect(response.headers['Access-Control-Allow-Methods']).to include('POST')
+      expect(response.headers['Access-Control-Allow-Headers']).to eq('*')
+    end
+  end
+end