DESENG-484: Adding max age for cors (#2377)

* DESENG-484: Adding max age for cors
bcgov · Feb 9, 2024 · 9be6576 · 9be6576
1 parent 23faaae
commit 9be6576
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/CHANGELOG.MD b/CHANGELOG.MD
@@ -1,3 +1,8 @@
+## February 08, 2024
+- **Task**Cache CORS preflight responses with the browser for a given period of time [DESENG-484](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-484)
+    - Introduces a new configuration variable to specify the maximum age for Cross-Origin Resource Sharing (CORS)
+    - Modified the CORS preflight method to utilize this newly introduced variable.
+
 ## February 06, 2024
 - **Task**Convert keycloak groups to composite roles for permission levels [DESENG-447](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-447)
     - Commented out unit test related to Keycloak groups

diff --git a/met-api/src/met_api/config.py b/met-api/src/met_api/config.py
@@ -163,6 +163,12 @@ def SQLALCHEMY_DATABASE_URI(self) -> str:
     # CORS settings
     CORS_ORIGINS = os.getenv('CORS_ORIGINS', '').split(',')
 
+    # CORS_MAX_AGE defines the maximum age (in seconds) for Cross-Origin Resource Sharing (CORS) settings.
+    # This value is used to indicate how long the results of a preflight request (OPTIONS) can be cached
+    # by the client, reducing the frequency of preflight requests for the specified HTTP methods.
+    # Adjust this value based on security considerations.
+    CORS_MAX_AGE = os.getenv('CORS_MAX_AGE', None) # Default: 0 seconds
+
     EPIC_CONFIG = {
         'ENABLED': env_truthy('EPIC_INTEGRATION_ENABLED'),
         'JWT_OIDC_ISSUER': os.getenv('EPIC_JWT_OIDC_ISSUER'),

diff --git a/met-api/src/met_api/utils/util.py b/met-api/src/met_api/utils/util.py
@@ -21,6 +21,7 @@
 import os
 import urllib
 
+from flask import request
 from humps.main import camelize, decamelize
 
 
@@ -29,12 +30,18 @@ def cors_preflight(methods):
 
     def wrapper(f):
         def options(self, *args, **kwargs):  # pylint: disable=unused-argument
-            return {'Allow': 'GET, DELETE, PUT, POST'}, 200, {
+            headers = {
+                'Allow': 'GET, DELETE, PUT, POST',
                 'Access-Control-Allow-Origin': '*',
                 'Access-Control-Allow-Methods': methods,
                 'Access-Control-Allow-Headers': 'Authorization, Content-Type, '
                                                 'registries-trace-id, invitation_token'
             }
+            max_age = os.getenv('CORS_MAX_AGE')
+            if max_age is not None:
+                headers['Access-Control-Max-Age'] = str(max_age)
+
+            return headers, 200, {}
 
         setattr(f, 'options', options)
         return f