Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ENG-3583] Respect cors_allowed_origins for backend HTTP requests #4533

Merged
merged 1 commit into from
Dec 13, 2024
Merged

[ENG-3583] Respect cors_allowed_origins for backend HTTP requests #4533

merged 1 commit into from
Dec 13, 2024

Conversation

masenf
Copy link
Collaborator

@masenf masenf commented Dec 12, 2024

Some test code

import reflex as rx


pinging = rx._x.client_state(default=False)
ping_success = rx._x.client_state(default=False)
fetch_response = rx._x.client_state(default="")


def index() -> rx.Component:
    # Welcome Page (Index)
    return rx.container(
        rx.color_mode.button(position="top-right"),
        rx.vstack(
            rx.heading("Welcome to Reflex!", size="9"),
            # Comment the following two lines to make a stateless app
            rx.text(f"my sid: {rx.State.router.session.session_id}"),
            rx.text(f"my token: {rx.State.router.session.client_token}"),
            rx.hstack(
                pinging,         ######
                ping_success,    ##  Client state vars
                fetch_response,  ######
                rx.button(
                    "Ping",
                    size="4",
                    disabled=pinging.value,
                    color_scheme=rx.cond(
                        pinging.value,
                        "blue",
                        rx.cond(ping_success.value, "green", "red"),
                    ),
                    on_click=rx.run_script("{"
                        f"{pinging.set_value(True)}(); "
                        f"{fetch_response.set_value('')}(); "
                        "fetch(getBackendURL(env.PING))"
                        f".then((data) => {{ {ping_success.set}(data.ok); data.text().then({fetch_response.set}) }})"
                        f".catch((error) => {{ {ping_success.set_value(False)}(); {fetch_response.set}(error.message) }})"
                        f".finally({pinging.set_value(False)}); "
                    "}"),
                ),
                rx.cond(
                    fetch_response.value != "",
                    rx.text(fetch_response.value),
                    rx.cond(pinging.value, rx.spinner()),
                ),
                align="center",
            ),
        ),
        rx.logo(),
    )


app = rx.App()
app.add_page(index)

in rxconfig.py

import reflex as rx

config = rx.Config(
    app_name="repro_cors",
    cors_allowed_origins=["http://localhost:3001", "http://localhost:3000"],
)

Running the app stateless with various combinations of cors_allowed_origins shows that CORS is now respected on the HTTP connection.

CORS has been respected on the websocket connection for quite a while, but for some reason all origins were being allowed to other backend HTTP routes, like _upload and ping. Now those are protected by the starlette CORSMiddleware.

@linear Linear
Copy link

linear bot commented Dec 12, 2024

ENG-3583 The app doesn't respect CORS

@masenf masenf merged commit f4aea1b into main Dec 13, 2024
41 checks passed
@masenf masenf deleted the masenf/fix-cors branch December 13, 2024 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@picklelo picklelo picklelo approved these changes

@Lendemor Lendemor Lendemor approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@masenf @Lendemor @picklelo