From 0a29ae81bfc97ed1927e9d90e5cdd7fc419b0453 Mon Sep 17 00:00:00 2001
From: Lucie <lucie.daeye@gmail.com>
Date: Wed, 28 Mar 2018 18:12:37 +0200
Subject: [PATCH] CORS env fix (#334)

* CORS env fix

* revert to the original CORS library

* We can't rely only on CORS_ORIGIN_WHITELIST for creating the CSRF whitelist

* Update Cors_origin_whitelist and the sample var file

* Update app.json

* small fixes
---
 app.json             | 10 +++++++++-
 pulseapi/settings.py | 16 ++++++++--------
 requirements.txt     |  2 +-
 sample.env           |  4 +++-
 4 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/app.json b/app.json
index 29930a4..f728b6a 100644
--- a/app.json
+++ b/app.json
@@ -31,9 +31,17 @@
     "AWS_STORAGE_ROOT": {
       "required": true
     },
+    "CORS_ORIGIN_REGEX_WHITELIST": {
+      "required": true
+    },
+    "CORS_ORIGIN_WHITELIST": {
+      "required": true
+    },
+    "CSRF_TRUSTED_ORIGINS": {
+      "required": true
+    },
     "USE_S3": "True",
     "SSL_PROTECTION": "False",
-    "CORS_ORIGIN_ALLOW_ALL": "True",
     "DEBUG": "True"
   },
   "addons": [
diff --git a/pulseapi/settings.py b/pulseapi/settings.py
index e1c646c..013c989 100644
--- a/pulseapi/settings.py
+++ b/pulseapi/settings.py
@@ -25,10 +25,12 @@ env = environ.Env(
     DEBUG=(bool, False),
     USE_S3=(bool, False),
     SSL_PROTECTION=(bool, False),
-    CORS_REGEX_WHITELIST=(tuple, ()),
+    CORS_ORIGIN_REGEX_WHITELIST=(list, []),
+    CORS_ORIGIN_WHITELIST=(list, []),
     HEROKU_APP_NAME=(str, ''),
     PULSE_FRONTEND_HOSTNAME=(str, ''),
-    SECRET_KEY=(str, '')
+    SECRET_KEY=(str, ''),
+    CSRF_TRUSTED_ORIGINS=(list, []),
 )
 
 SSL_PROTECTION = env('SSL_PROTECTION')
@@ -231,14 +233,12 @@ CORS_ORIGIN_ALLOW_ALL = False
 CORS_ALLOW_CREDENTIALS = True
 
 # and we want origin whitelisting
-CORS_ORIGIN_WHITELIST = os.getenv(
-    'CORS_ORIGIN_WHITELIST',
-    'localhost:3000,localhost:8000,localhost:8080,test.example.com:8000,test.example.com:3000'
-).split(',')
+CORS_ORIGIN_WHITELIST = env('CORS_ORIGIN_WHITELIST')
 
-CORS_ORIGIN_REGEX_WHITELIST = env('CORS_REGEX_WHITELIST')
+CORS_ORIGIN_REGEX_WHITELIST = env('CORS_ORIGIN_REGEX_WHITELIST')
 
-CSRF_TRUSTED_ORIGINS = CORS_ORIGIN_WHITELIST
+
+CSRF_TRUSTED_ORIGINS = env('CSRF_TRUSTED_ORIGINS')
 CSRF_COOKIE_HTTPONLY = env('CSRF_COOKIE_HTTPONLY', default=SSL_PROTECTION)
 CSRF_COOKIE_SECURE = env('CSRF_COOKIE_SECURE', default=SSL_PROTECTION)
 SECURE_BROWSER_XSS_FILTER = env('SECURE_BROWSER_XSS_FILTER', default=SSL_PROTECTION)
diff --git a/requirements.txt b/requirements.txt
index c4c064d..21a16ad 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,7 +6,7 @@ colorama==0.3.7
 configobj==5.0.6
 dj-database-url==0.4.1
 Django==1.11
-django-cors-middleware==1.3.1
+django-cors-headers==2.2.0
 django-debug-toolbar==1.9.1
 django-environ==0.4.1
 django-filter==1.1
diff --git a/sample.env b/sample.env
index 8996e50..734b320 100644
--- a/sample.env
+++ b/sample.env
@@ -2,4 +2,6 @@ DEBUG=True
 REDIRECT_URIS=http://test.example.com:8000/api/pulse/oauth2callback
 SSL_PROTECTION=False
 PULSE_FRONTEND_HOSTNAME=localhost:3000
-SECRET_KEY=BetPHpGoUXUwjaAXm6ArIhV95xLdDZtu8QEGnNXY3eTknIkD
\ No newline at end of file
+SECRET_KEY=BetPHpGoUXUwjaAXm6ArIhV95xLdDZtu8QEGnNXY3eTknIkD
+CORS_ORIGIN_REGEX_WHITELIST=http://localhost:\d+,http://test.example.com:\d+
+CSRF_TRUSTED_ORIGINS=localhost:3000,localhost:8000,localhost:8080,test.example.com:8000,test.example.com:3000