CORS env fix (#334)

* CORS env fix * revert to the original CORS library * We can't rely only on CORS_ORIGIN_WHITELIST for creating the CSRF whitelist * Update Cors_origin_whitelist and the sample var file * Update app.json * small fixes
2018-03-28 18:12:37 +02:00 · 2018-03-28 18:12:37 +02:00 · 0a29ae81bf
--- a/app.json
+++ b/app.json
@ -31,9 +31,17 @@
    "AWS_STORAGE_ROOT": {
      "required": true
    },
+    "CORS_ORIGIN_REGEX_WHITELIST": {
+      "required": true
+    },
+    "CORS_ORIGIN_WHITELIST": {
+      "required": true
+    },
+    "CSRF_TRUSTED_ORIGINS": {
+      "required": true
+    },
    "USE_S3": "True",
    "SSL_PROTECTION": "False",
-    "CORS_ORIGIN_ALLOW_ALL": "True",
    "DEBUG": "True"
  },
  "addons": [
--- a/pulseapi/settings.py
+++ b/pulseapi/settings.py
@ -25,10 +25,12 @@ env = environ.Env(
    DEBUG=(bool, False),
    USE_S3=(bool, False),
    SSL_PROTECTION=(bool, False),
-    CORS_REGEX_WHITELIST=(tuple, ()),
+    CORS_ORIGIN_REGEX_WHITELIST=(list, []),
+    CORS_ORIGIN_WHITELIST=(list, []),
    HEROKU_APP_NAME=(str, ''),
    PULSE_FRONTEND_HOSTNAME=(str, ''),
-    SECRET_KEY=(str, '')
+    SECRET_KEY=(str, ''),
+    CSRF_TRUSTED_ORIGINS=(list, []),
 )

 SSL_PROTECTION = env('SSL_PROTECTION')
@ -231,14 +233,12 @@ CORS_ORIGIN_ALLOW_ALL = False
 CORS_ALLOW_CREDENTIALS = True

 # and we want origin whitelisting
-CORS_ORIGIN_WHITELIST = os.getenv(
-    'CORS_ORIGIN_WHITELIST',
-    'localhost:3000,localhost:8000,localhost:8080,test.example.com:8000,test.example.com:3000'
-).split(',')
+CORS_ORIGIN_WHITELIST = env('CORS_ORIGIN_WHITELIST')

-CORS_ORIGIN_REGEX_WHITELIST = env('CORS_REGEX_WHITELIST')
+CORS_ORIGIN_REGEX_WHITELIST = env('CORS_ORIGIN_REGEX_WHITELIST')

-CSRF_TRUSTED_ORIGINS = CORS_ORIGIN_WHITELIST
+
+CSRF_TRUSTED_ORIGINS = env('CSRF_TRUSTED_ORIGINS')
 CSRF_COOKIE_HTTPONLY = env('CSRF_COOKIE_HTTPONLY', default=SSL_PROTECTION)
 CSRF_COOKIE_SECURE = env('CSRF_COOKIE_SECURE', default=SSL_PROTECTION)
 SECURE_BROWSER_XSS_FILTER = env('SECURE_BROWSER_XSS_FILTER', default=SSL_PROTECTION)
--- a/requirements.txt
+++ b/requirements.txt
@ -6,7 +6,7 @@ colorama==0.3.7
 configobj==5.0.6
 dj-database-url==0.4.1
 Django==1.11
-django-cors-middleware==1.3.1
+django-cors-headers==2.2.0
 django-debug-toolbar==1.9.1
 django-environ==0.4.1
 django-filter==1.1
--- a/sample.env
+++ b/sample.env
@ -2,4 +2,6 @@ DEBUG=True
 REDIRECT_URIS=http://test.example.com:8000/api/pulse/oauth2callback
 SSL_PROTECTION=False
 PULSE_FRONTEND_HOSTNAME=localhost:3000
-SECRET_KEY=BetPHpGoUXUwjaAXm6ArIhV95xLdDZtu8QEGnNXY3eTknIkD
+SECRET_KEY=BetPHpGoUXUwjaAXm6ArIhV95xLdDZtu8QEGnNXY3eTknIkD
+CORS_ORIGIN_REGEX_WHITELIST=http://localhost:\d+,http://test.example.com:\d+
+CSRF_TRUSTED_ORIGINS=localhost:3000,localhost:8000,localhost:8080,test.example.com:8000,test.example.com:3000