New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(middleware): allow dynamic validation of CORS origins #2052
Conversation
* feat(middleware): support callable filter for CORSMiddleware * tests(cors_middleware): add tests for dynamic origins
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this prototype @willnewton!
I'm admittedly a bit divided here though... 🤔 On the one hand, it would be a shame to say no a neat improvement like this, OTOH, we haven't made a decision on whether we want this feature in the framework itself or not. It's always better to discuss before building issues marked with the decision-needed
label.
Codecov Report
@@ Coverage Diff @@
## master #2052 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 63 63
Lines 6707 6721 +14
Branches 1238 1241 +3
=========================================
+ Hits 6707 6721 +14
Continue to review full report at Codecov.
|
I'm not against it, I would need to look at the implementation a bit more though. |
IMO it would be fine to move forward with this. It affords additional use cases without the framework needing to implement and maintain explicit support for them. |
@@ -19,7 +22,7 @@ class CORSMiddleware(object): | |||
|
|||
Keyword Arguments: | |||
allow_origins (Union[str, Iterable[str]]): List of origins to allow (case | |||
sensitive). The string ``'*'`` acts as a wildcard, matching every origin. | |||
sensitive) or callable. The string ``'*'`` acts as a wildcard, matching every origin. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we'll need an update to docs/api/cors.rst
as well to better explain how to use the callable option, provide an example.
allow_credentials (Optional[Union[str, Iterable[str]]]): List of origins | ||
(case sensitive) for which to allow credentials via the | ||
allow_credentials (Optional[Union[str, Iterable[str], OriginFilter]]): List of origins | ||
(case sensitive) or callable for which to allow credentials via the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See above.
) | ||
self.allow_credentials_filter = self.create_origin_filter(allow_credentials) | ||
|
||
def create_origin_filter(self, allow_list): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be part of the public interface? It seems like it should be private (prefixed w/ an undescore), at least in the first release until we discover otherwise.
): | ||
if allow_origins == '*': | ||
self.allow_origins = allow_origins | ||
self.allow_origins_wildcard = False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Style: prefix allow_origins_wildcard
name with an underscore; I don't think there is any need to make this part of the public interface.
self.allow_origins = allow_origins | ||
self.allow_origins_wildcard = False | ||
if isinstance(allow_origins, Callable): | ||
self.allow_origins_filter = allow_origins |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Style: prefix allow_origins_filter
name with an underscore; I don't think there is any need to make this part of the public interface.
Hm, not sure about this one @kgriffs. Maybe a better course of action could be breaking out that validation part to a public method of The |
@vytas7 I see your point. We should iterate on this design to make it more consistent with other parts of the framework. |
@willnewton I'm going to close this pull request for now, but we'll leave your issue (#2050) open for discussion on how to best implement this (or at least make it easy to customize). |
feat(middleware): support callable filter for CORSMiddleware
tests(cors_middleware): add tests for dynamic origins
Summary of Changes
Allow passing a function to the CORSMiddleware for origin validation. This allows arbitrary validation like applying regexes etc.
Related Issues
I opened an issue regarding this feature request: #2050
Pull Request Checklist
This is just a reminder about the most common mistakes. Please make sure that you tick all appropriate boxes. But please read our contribution guide at least once; it will save you a few review cycles!
If an item doesn't apply to your pull request, check it anyway to make it apparent that there's nothing to do.
docs/
.docs/
.versionadded
,versionchanged
, ordeprecated
directives.docs/_newsfragments/
, with the file name format{issue_number}.{fragment_type}.rst
. (Runtowncrier --draft
to ensure it renders correctly.)If you have any questions to any of the points above, just submit and ask! This checklist is here to help you, not to deter you from contributing!
PR template inspired by the attrs project.