Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DESENG-484: Adding max age for cors #2377

Merged
merged 8 commits into from
Feb 9, 2024
Merged

DESENG-484: Adding max age for cors #2377

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
3401d22
Fix for keycloak tests
VineetBala-AOT Jan 29, 2024
c4a2ac1
Updating keycloak test url
VineetBala-AOT Jan 29, 2024
d05ad01
Testing met-cron
VineetBala-AOT Feb 3, 2024
88d294f
Updating user context
VineetBala-AOT Feb 3, 2024
e748a2e
Updating notify api
VineetBala-AOT Feb 4, 2024
5e67ec7
Removing change for notify api
VineetBala-AOT Feb 6, 2024
b686c4a
DESENG-484: Adding max age for cors
VineetBala-AOT Feb 8, 2024
3627002
Updating the change log
VineetBala-AOT Feb 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.MD
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## February 08, 2024
- **Task**Cache CORS preflight responses with the browser for a given period of time [DESENG-484](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-484)
- Introduces a new configuration variable to specify the maximum age for Cross-Origin Resource Sharing (CORS)
- Modified the CORS preflight method to utilize this newly introduced variable.

## February 06, 2024
- **Task**Convert keycloak groups to composite roles for permission levels [DESENG-447](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-447)
- Commented out unit test related to Keycloak groups
Expand Down
6 changes: 6 additions & 0 deletions met-api/src/met_api/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,12 @@ def SQLALCHEMY_DATABASE_URI(self) -> str:
# CORS settings
CORS_ORIGINS = os.getenv('CORS_ORIGINS', '').split(',')

# CORS_MAX_AGE defines the maximum age (in seconds) for Cross-Origin Resource Sharing (CORS) settings.
# This value is used to indicate how long the results of a preflight request (OPTIONS) can be cached
# by the client, reducing the frequency of preflight requests for the specified HTTP methods.
# Adjust this value based on security considerations.
CORS_MAX_AGE = os.getenv('CORS_MAX_AGE', None) # Default: 0 seconds
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like that you did this with an environment variable! A couple things:

  • Could we make sure to set this in Openshift before we close the ticket? Looks like 2 hours is the maximum value for modern chromium browsers (Firefox is 72 hrs). Either this or we could set the default to be 2 hours.
  • Our server is CORS-aware and checking for CORS origins so what are the security considerations here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I will set it in Openshift before closing the ticket.

For enhanced security considerations, configuring Access-Control-Max-Age as an environment variable provides the flexibility to adjust its duration or even eliminate it entirely in response to security concerns. Online recommendations suggest maintaining a shorter duration for Access-Control-Max-Age to mitigate potential risks.


EPIC_CONFIG = {
'ENABLED': env_truthy('EPIC_INTEGRATION_ENABLED'),
'JWT_OIDC_ISSUER': os.getenv('EPIC_JWT_OIDC_ISSUER'),
Expand Down
9 changes: 8 additions & 1 deletion met-api/src/met_api/utils/util.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import os
import urllib

from flask import request
from humps.main import camelize, decamelize


Expand All @@ -29,12 +30,18 @@ def cors_preflight(methods):

def wrapper(f):
def options(self, *args, **kwargs): # pylint: disable=unused-argument
return {'Allow': 'GET, DELETE, PUT, POST'}, 200, {
headers = {
'Allow': 'GET, DELETE, PUT, POST',
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Methods': methods,
'Access-Control-Allow-Headers': 'Authorization, Content-Type, '
'registries-trace-id, invitation_token'
}
max_age = os.getenv('CORS_MAX_AGE')
if max_age is not None:
headers['Access-Control-Max-Age'] = str(max_age)

return headers, 200, {}

setattr(f, 'options', options)
return f
Expand Down