From f764cb14a5d02d13c3719ead6811a0242858ecf5 Mon Sep 17 00:00:00 2001 From: VineetBala-AOT <90332175+VineetBala-AOT@users.noreply.github.com> Date: Mon, 12 Feb 2024 10:25:17 -0800 Subject: [PATCH] DESENG-484: Adding max age for cors (#2379) * DESENG-484: Adding max age for cors (#2377) --- CHANGELOG.MD | 5 +++++ met-api/src/met_api/config.py | 6 ++++++ met-api/src/met_api/utils/util.py | 8 +++++++- met-api/tests/unit/utils/test_util_cors.py | 4 ++-- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.MD b/CHANGELOG.MD index 2f99686c8..7720e48f3 100644 --- a/CHANGELOG.MD +++ b/CHANGELOG.MD @@ -8,6 +8,11 @@ ## February 08, 2024 +- **Task**Cache CORS preflight responses with the browser for a given period of time [DESENG-484](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-484) + + - Introduces a new configuration variable to specify the maximum age for Cross-Origin Resource Sharing (CORS) + - Modified the CORS preflight method to utilize this newly introduced variable. + - **Task**Consolidate and re-write old migration files [DESENG-452](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-452) - Change some foreign key field to nullbale false in model files - Change `rejected_reason_other` to nullable true in `submission` model diff --git a/met-api/src/met_api/config.py b/met-api/src/met_api/config.py index e47321e4a..630c86e27 100644 --- a/met-api/src/met_api/config.py +++ b/met-api/src/met_api/config.py @@ -163,6 +163,12 @@ def SQLALCHEMY_DATABASE_URI(self) -> str: # CORS settings CORS_ORIGINS = os.getenv('CORS_ORIGINS', '').split(',') + # CORS_MAX_AGE defines the maximum age (in seconds) for Cross-Origin Resource Sharing (CORS) settings. + # This value is used to indicate how long the results of a preflight request (OPTIONS) can be cached + # by the client, reducing the frequency of preflight requests for the specified HTTP methods. + # Adjust this value based on security considerations. + CORS_MAX_AGE = os.getenv('CORS_MAX_AGE', None) # Default: 0 seconds + EPIC_CONFIG = { 'ENABLED': env_truthy('EPIC_INTEGRATION_ENABLED'), 'JWT_OIDC_ISSUER': os.getenv('EPIC_JWT_OIDC_ISSUER'), diff --git a/met-api/src/met_api/utils/util.py b/met-api/src/met_api/utils/util.py index b6367d6fc..d6e8cbb85 100644 --- a/met-api/src/met_api/utils/util.py +++ b/met-api/src/met_api/utils/util.py @@ -29,12 +29,18 @@ def cors_preflight(methods): def wrapper(f): def options(self, *args, **kwargs): # pylint: disable=unused-argument - return {'Allow': 'GET, DELETE, PUT, POST'}, 200, { + headers = { + 'Allow': 'GET, DELETE, PUT, POST', 'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Methods': methods, 'Access-Control-Allow-Headers': 'Authorization, Content-Type, ' 'registries-trace-id, invitation_token' } + max_age = os.getenv('CORS_MAX_AGE') + if max_age is not None: + headers['Access-Control-Max-Age'] = str(max_age) + + return headers, 200, {} setattr(f, 'options', options) return f diff --git a/met-api/tests/unit/utils/test_util_cors.py b/met-api/tests/unit/utils/test_util_cors.py index 681b27f13..672229129 100644 --- a/met-api/tests/unit/utils/test_util_cors.py +++ b/met-api/tests/unit/utils/test_util_cors.py @@ -40,5 +40,5 @@ class TestCors(): pass rv = TestCors().options() # pylint: disable=no-member - assert rv[2]['Access-Control-Allow-Origin'] == '*' - assert rv[2]['Access-Control-Allow-Methods'] == methods + assert rv[0]['Access-Control-Allow-Origin'] == '*' + assert rv[0]['Access-Control-Allow-Methods'] == methods