CORS middleware only handles parameterized URLs with letters

[hbldh]

I love hug and use it a lot, and I ran into a problem today.

Say that I have a hug API like this:

import hug
from hug.middleware import CORSMiddleware

api = hug.API(__name__)
api.http.add_middleware(CORSMiddleware(api))

@hug.post('/api/{the_id}')
def id_reposter(the_id):
    return {'id': the_id}

The hug API answers to POST requests and the CORS middleware then answers to OPTIONS calls (pre-flighted requests):

>>> import requests
>>> requests.post("http://localhost:8000/api/myid").json()
{'id': 'myid'}
>>> requests.options("http://localhost:8000/api/myid")
<Response [200]>

If I however have ids with special characters that I want to use, this leads to errors:

>>> requests.options("http://localhost:8000/api/my-id")
<Response [500]>

The error on the server is this:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/wsgiref/handlers.py", line 137, in run
    self.result = application(self.environ, self.start_response)
  File "/Users/e/PycharmProjects/hugbug/venv/lib/python3.6/site-packages/falcon/api.py", line 260, in __call__
    process_response(req, resp, resource, req_succeeded)
  File "/Users/e/PycharmProjects/hugbug/venv/lib/python3.6/site-packages/falcon/api_helpers.py", line 93, in shim
    process_response(req, resp, resource)
  File "/Users/e/PycharmProjects/hugbug/venv/lib/python3.6/site-packages/hug/middleware.py", line 144, in process_response
    for _, routes in self.api.http.routes.items()
  File "/Users/e/PycharmProjects/hugbug/venv/lib/python3.6/site-packages/hug/middleware.py", line 145, in <genexpr>
    for method, _ in routes[self.match_route(request.path)].items()
KeyError: '/api/my-id'
127.0.0.1 - - [18/Apr/2018 23:15:14] "OPTIONS /api/my-id HTTP/1.1" 500 59

No match had been made and this is due to the regex here. It replaces all parameter placeholders in url routes with the regex \w+ meaning that parameter values with characters other than [a-zA-Z0-9_] will create an error. In my opinion I would like the replacing regex for route matching to be something like [\w.\-~!$&'()*+,;=:@]+.

I will draft a PR if you deem this to be a bug, but I want to ask if there was a reason for not having such a matching before I do.

Thank you once more for a fantastic framework!

[guanzo]

I'm running into this issue too. My user ids are UUID4 which contain multiple hyphens.

[CrackerJackMack]

Am I mistaken that this issue might be resolved now via #642 >v2.4.1

[hbldh]

@CrackerJackMack Partly, but not in a good enough way imo: \w- still only adds hyphen to the allowed characters in CORS-enabled endpoints.

In the monkeypatched middleware I use I have this instead of line 132 in hug/middleware.py

if re.match(re.sub(r"/{[^{}]+}", ".+", route) + "$", reqpath, re.DOTALL):

This allows for ids containing e.g. @ to be used in the url. It also allows anything else...
The external api I use have these kinds of ids, so I needed to handle these characters.

[timothycrosley]

@hbldh,

I've added your solution and deployed a new version of Hug,

Thanks!

~Timothy