From c462b6eb72d56f6ff8ae70415a9ef4dc7491304c Mon Sep 17 00:00:00 2001 From: Will O'Beirne Date: Thu, 4 Apr 2019 21:32:20 -0400 Subject: [PATCH] Give CORS setting its own env var --- backend/.env.example | 2 ++ backend/grant/app.py | 4 ++-- backend/grant/settings.py | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/backend/.env.example b/backend/.env.example index d4c83bff..c1b97adc 100644 --- a/backend/.env.example +++ b/backend/.env.example @@ -9,6 +9,8 @@ SENDGRID_API_KEY="optional, but emails won't send without it" # set this so third-party cookie blocking doesn't kill backend sessions (production) # SESSION_COOKIE_DOMAIN="zfnd.org" +# Limit CORS to these domains, no spaces in seperators. Defaults to '*'. +# CORS_DOMAINS="domain.com,domain2.com" # SENTRY_DSN="https://PUBLICKEY@sentry.io/PROJECTID" # SENTRY_RELEASE="optional, provides sentry logging with release info" diff --git a/backend/grant/app.py b/backend/grant/app.py index e11be287..1bbd4212 100644 --- a/backend/grant/app.py +++ b/backend/grant/app.py @@ -12,7 +12,7 @@ from sentry_sdk.integrations.flask import FlaskIntegration from sentry_sdk.integrations.logging import LoggingIntegration from grant import commands, proposal, user, comment, milestone, admin, email, blockchain, task, rfp, e2e from grant.extensions import bcrypt, migrate, db, ma, security, limiter -from grant.settings import SENTRY_RELEASE, ENV, E2E_TESTING, DEBUG, SESSION_COOKIE_DOMAIN +from grant.settings import SENTRY_RELEASE, ENV, E2E_TESTING, DEBUG, CORS_DOMAINS from grant.utils.auth import AuthException, handle_auth_error, get_authed_user from grant.utils.exceptions import ValidationException @@ -121,7 +121,7 @@ def register_extensions(app): security.init_app(app, datastore=user_datastore, register_blueprint=False) # supports_credentials for session cookies, on cookie domains (if set) - origins = [SESSION_COOKIE_DOMAIN] if SESSION_COOKIE_DOMAIN else '*' + origins = CORS_DOMAINS.split(',') CORS(app, supports_credentials=True, expose_headers='X-Grantio-Authed', origins=origins) SSLify(app) return None diff --git a/backend/grant/settings.py b/backend/grant/settings.py index d82b013a..82813df8 100644 --- a/backend/grant/settings.py +++ b/backend/grant/settings.py @@ -29,6 +29,7 @@ SQLALCHEMY_TRACK_MODIFICATIONS = False # so backend session cookies are first-party SESSION_COOKIE_DOMAIN = env.str('SESSION_COOKIE_DOMAIN', default=None) +CORS_DOMAINS = env.str('CORS_DOMAINS', default='*') SENDGRID_API_KEY = env.str("SENDGRID_API_KEY", default="") SENDGRID_DEFAULT_FROM = "noreply@grants.zfnd.org"