Skip to content

Commit

Permalink
CORS security send cookies
Browse files Browse the repository at this point in the history
  • Loading branch information
ChromaticPanic committed Nov 5, 2024
1 parent 1c631a1 commit e6f3fff
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 4 deletions.
3 changes: 3 additions & 0 deletions .env.template
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,6 @@ NACHET_MAX_CONTENT_LENGTH=
NACHET_VALID_EXTENSION=
NACHET_VALID_DIMENSION=
DEV_USER_EMAIL=
ENVIRONMENT=
URL_PROD=
URL_LOCAL=
18 changes: 14 additions & 4 deletions app.py
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,9 @@ class MaxContentLengthWarning(APIWarnings):
PIPELINE_BLOB_NAME = os.getenv("NACHET_BLOB_PIPELINE_NAME")

NACHET_DATA = os.getenv("NACHET_DATA")
ENVIRONMENT = os.getenv("ENVIRONMENT")
URL_LOCAL = os.getenv("URL_LOCAL")
URL_PROD = os.getenv("URL_PROD")

try:
VALID_EXTENSION = json.loads(os.getenv("NACHET_VALID_EXTENSION"))
Expand Down Expand Up @@ -129,8 +132,15 @@ class MaxContentLengthWarning(APIWarnings):

CACHE = {"seeds": None, "endpoints": None, "pipelines": {}, "validators": []}

cors_settings = {
"allow_origin": [URL_LOCAL] if ENVIRONMENT == "local" else [URL_PROD],
"allow_methods": ["GET", "POST", "OPTIONS"],
"allow_credentials": True,
"max_age": 86400
}

app = Quart(__name__)
app = cors(app, allow_origin="*", allow_methods=["GET", "POST", "OPTIONS"])
app = cors(app, **cors_settings)
app.config["MAX_CONTENT_LENGTH"] = MAX_CONTENT_LENGTH_MEGABYTES * 1024 * 1024


Expand Down Expand Up @@ -191,12 +201,12 @@ async def get_user_id():
"""
try:
email = None
internal = True # set flag to false if developing locally

if "jxVouchCookie" in request.cookies:
email = decode_vouch_cookie(request.cookies["jxVouchCookie"])
decoded_cookie = decode_vouch_cookie(request.cookies["jxVouchCookie"])
email = decoded_cookie["CustomClaims"]["email"]

if not internal and not email: # only allow internal requests to bypass email
if ENVIRONMENT == "local" and not email: # only allow local dev requests to bypass email
data = await request.get_json()
email = data.get("email")

Expand Down

0 comments on commit e6f3fff

Please sign in to comment.