DESENG-484: Adding max age for cors (#2379)

* DESENG-484: Adding max age for cors (#2377)
bcgov · Feb 12, 2024 · 11e14f9 · 11e14f9
1 parent be8dad4
commit 11e14f9
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 3 deletions.
diff --git a/CHANGELOG.MD b/CHANGELOG.MD
@@ -1,4 +1,7 @@
 ## February 08, 2024
+- **Task**Cache CORS preflight responses with the browser for a given period of time [DESENG-484](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-484)
+    - Introduces a new configuration variable to specify the maximum age for Cross-Origin Resource Sharing (CORS)
+    - Modified the CORS preflight method to utilize this newly introduced variable.
 - **Task**Consolidate and re-write old migration files [DESENG-452](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-452)
     - Change some foreign key field to nullbale false in model files
     - Change `rejected_reason_other` to nullable true in `submission` model

diff --git a/met-api/src/met_api/config.py b/met-api/src/met_api/config.py
@@ -163,6 +163,12 @@ def SQLALCHEMY_DATABASE_URI(self) -> str:
     # CORS settings
     CORS_ORIGINS = os.getenv('CORS_ORIGINS', '').split(',')
 
+    # CORS_MAX_AGE defines the maximum age (in seconds) for Cross-Origin Resource Sharing (CORS) settings.
+    # This value is used to indicate how long the results of a preflight request (OPTIONS) can be cached
+    # by the client, reducing the frequency of preflight requests for the specified HTTP methods.
+    # Adjust this value based on security considerations.
+    CORS_MAX_AGE = os.getenv('CORS_MAX_AGE', None)  # Default: 0 seconds
+
     EPIC_CONFIG = {
         'ENABLED': env_truthy('EPIC_INTEGRATION_ENABLED'),
         'JWT_OIDC_ISSUER': os.getenv('EPIC_JWT_OIDC_ISSUER'),

diff --git a/met-api/src/met_api/utils/util.py b/met-api/src/met_api/utils/util.py
@@ -29,12 +29,18 @@ def cors_preflight(methods):
 
     def wrapper(f):
         def options(self, *args, **kwargs):  # pylint: disable=unused-argument
-            return {'Allow': 'GET, DELETE, PUT, POST'}, 200, {
+            headers = {
+                'Allow': 'GET, DELETE, PUT, POST',
                 'Access-Control-Allow-Origin': '*',
                 'Access-Control-Allow-Methods': methods,
                 'Access-Control-Allow-Headers': 'Authorization, Content-Type, '
                                                 'registries-trace-id, invitation_token'
             }
+            max_age = os.getenv('CORS_MAX_AGE')
+            if max_age is not None:
+                headers['Access-Control-Max-Age'] = str(max_age)
+
+            return headers, 200, {}
 
         setattr(f, 'options', options)
         return f

diff --git a/met-api/tests/unit/utils/test_util_cors.py b/met-api/tests/unit/utils/test_util_cors.py
@@ -40,5 +40,5 @@ class TestCors():
         pass
 
     rv = TestCors().options()  # pylint: disable=no-member
-    assert rv[2]['Access-Control-Allow-Origin'] == '*'
-    assert rv[2]['Access-Control-Allow-Methods'] == methods
+    assert rv[0]['Access-Control-Allow-Origin'] == '*'
+    assert rv[0]['Access-Control-Allow-Methods'] == methods