YunoHost/moulinette
1
0
Fork 0
mirror of https://github.com/YunoHost/moulinette.git synced 2024-09-03 20:06:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

api: Add a proper mechanism to allow specific, configurable CORS origins

Browse source
This commit is contained in:
Alexandre Aubin 2023-07-29 19:09:52 +02:00
parent 4104704a87
commit 328107c946
2 changed files with 23 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
moulinette/__init__.py
View file

@ -53,7 +53,7 @@ class Moulinette:
# Easy access to interfaces # Easy access to interfaces
def api(host="localhost", port=80, routes={}, actionsmap=None, locales_dir=None): def api(host="localhost", port=80, routes={}, actionsmap=None, locales_dir=None, allowed_cors_origins=[]):
"""Web server (API) interface """Web server (API) interface
Run a HTTP server with the moulinette for an API usage. Run a HTTP server with the moulinette for an API usage.
@ -73,6 +73,7 @@ def api(host="localhost", port=80, routes={}, actionsmap=None, locales_dir=None)
Api( Api(
routes=routes, routes=routes,
actionsmap=actionsmap, actionsmap=actionsmap,
allowed_cors_origins=allowed_cors_origins,
).run(host, port) ).run(host, port)
except MoulinetteError as e: except MoulinetteError as e:
import logging import logging

27
moulinette/interfaces/api.py
View file

@ -717,9 +717,11 @@ class Interface:
type = "api" type = "api"
def __init__(self, routes={}, actionsmap=None): def __init__(self, routes={}, actionsmap=None, allowed_cors_origins=[]):
actionsmap = ActionsMap(actionsmap, ActionsMapParser()) actionsmap = ActionsMap(actionsmap, ActionsMapParser())
self.allowed_cors_origins = allowed_cors_origins
# Attempt to retrieve log queues from an APIQueueHandler # Attempt to retrieve log queues from an APIQueueHandler
handler = log.getHandlersByClass(APIQueueHandler, limit=1) handler = log.getHandlersByClass(APIQueueHandler, limit=1)
if handler: if handler:
@ -729,11 +731,18 @@ class Interface:
# TODO: Return OK to 'OPTIONS' xhr requests (l173) # TODO: Return OK to 'OPTIONS' xhr requests (l173)
app = Bottle(autojson=True) app = Bottle(autojson=True)
# Wrapper which sets proper header def cors(callback):
def apiheader(callback):
def wrapper(*args, **kwargs): def wrapper(*args, **kwargs):
response.set_header("Access-Control-Allow-Origin", "*") r = callback(*args, **kwargs)
return callback(*args, **kwargs) origin = request.headers.environ.get("HTTP_ORIGIN", "")
if origin and origin in self.allowed_cors_origins:
resp = r if isinstance(r, HTTPResponse) else response
resp.headers['Access-Control-Allow-Origin'] = origin
resp.headers['Access-Control-Allow-Methods'] = 'GET, HEAD, POST, PUT, OPTIONS, DELETE'
resp.headers['Access-Control-Allow-Headers'] = 'Origin, Accept, Content-Type, X-Requested-With, X-CSRF-Token'
resp.headers['Access-Control-Allow-Credentials'] = 'true'
return r
return wrapper return wrapper
@ -751,7 +760,7 @@ class Interface:
# Install plugins # Install plugins
app.install(filter_csrf) app.install(filter_csrf)
app.install(apiheader) app.install(cors)
app.install(api18n) app.install(api18n)
actionsmapplugin = _ActionsMapPlugin(actionsmap, log_queues) actionsmapplugin = _ActionsMapPlugin(actionsmap, log_queues)
app.install(actionsmapplugin) app.install(actionsmapplugin)
@ -760,6 +769,12 @@ class Interface:
self.display = actionsmapplugin.display self.display = actionsmapplugin.display
self.prompt = actionsmapplugin.prompt self.prompt = actionsmapplugin.prompt
def handle_options():
return HTTPResponse("", 204)
app.route('/<:re:.*>', method="OPTIONS",
callback=handle_options, skip=["actionsmap"])
# Append additional routes # Append additional routes
# TODO: Add optional authentication to those routes? # TODO: Add optional authentication to those routes?
for (m, p), c in routes.items(): for (m, p), c in routes.items():