Merge branch 'django-3-update-cors' into feature/django_upgrade

Closes #10045 Fix CORS for ORIGINS_WHITELIST Part of [ENG-3948] Post-upgrade compatibility fix
CenterForOpenScience · Sep 9, 2022 · c03627b · c03627b
2 parents eb93348 + 07ee7e6
commit c03627b
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 7 deletions.
diff --git a/api/base/middleware.py b/api/base/middleware.py
@@ -70,7 +70,7 @@ class CorsMiddleware(corsheaders.middleware.CorsMiddleware):
     def origin_found_in_white_lists(self, origin, url):
         settings.CORS_ORIGIN_WHITELIST += api_settings.ORIGINS_WHITELIST
         # Check if origin is in the dynamic custom domain whitelist
-        found = super(CorsMiddleware, self).origin_found_in_white_lists(origin, url)
+        found = super().origin_found_in_white_lists(origin, url)
         # Check if a cross-origin request using the Authorization header
         if not found:
             if not self._context.request.COOKIES:

diff --git a/api/base/settings/__init__.py b/api/base/settings/__init__.py
@@ -6,8 +6,6 @@
     >>> settings.API_BASE
     'v2/'
 """
-import os
-from future.moves.urllib.parse import urlparse
 import warnings
 import itertools
 
@@ -27,15 +25,17 @@
     for setting in ('JWE_SECRET', 'JWT_SECRET', 'BYPASS_THROTTLE_TOKEN', 'HASHIDS_SALT'):
         assert getattr(local, setting, None) and getattr(local, setting, None) != getattr(defaults, setting, None), '{} must be specified in local.py when DEV_MODE is False'.format(setting)
 
+
 def load_origins_whitelist():
     global ORIGINS_WHITELIST
     from osf.models import Institution, PreprintProvider
 
-    institution_origins = tuple(domain.lower() for domain in itertools.chain(*Institution.objects.values_list('domains', flat=True)))
+    institution_origins = tuple(f'https://{domain.lower()}' for domain in itertools.chain(*Institution.objects.values_list('domains', flat=True)))
 
     preprintprovider_origins = tuple(preprintprovider.domain.lower() for preprintprovider in PreprintProvider.objects.exclude(domain=''))
 
-    ORIGINS_WHITELIST = tuple(urlparse(url).geturl().lower().split('{}://'.format(urlparse(url).scheme))[-1] for url in institution_origins + preprintprovider_origins)
+    ORIGINS_WHITELIST = tuple(url for url in institution_origins + preprintprovider_origins)
+
 
 def build_latest_versions(version_data):
     """Builds a dict with greatest version keyed for each major version"""
@@ -46,4 +46,5 @@ def build_latest_versions(version_data):
             ret[major_version] = version
     return ret
 
+
 LATEST_VERSIONS = build_latest_versions(REST_FRAMEWORK['ALLOWED_VERSIONS'])
diff --git a/api_tests/base/test_middleware.py b/api_tests/base/test_middleware.py
@@ -62,7 +62,7 @@ def test_cross_origin_request_with_cookies_does_not_get_cors_headers(self):
         url = api_v2_url('users/me/')
         domain = urlparse('https://dinosaurs.sexy')
         request = self.request_factory.get(url, HTTP_ORIGIN=domain.geturl())
-        response = {}
+        response = HttpResponse()
         with mock.patch.object(request, 'COOKIES', True):
             self.middleware.process_request(request)
             self.middleware.process_response(request, response)
@@ -92,7 +92,7 @@ def test_cross_origin_request_with_Authorization_and_cookie_does_not_get_cors_he
             HTTP_ORIGIN=domain.geturl(),
             HTTP_AUTHORIZATION='Bearer aqweqweohuweglbiuwefq'
         )
-        response = {}
+        response = HttpResponse()
         with mock.patch.object(request, 'COOKIES', True):
             self.middleware.process_request(request)
             self.middleware.process_response(request, response)