feat(middleware): allow dynamic validation of CORS origins

[willnewton]

• feat(middleware): support callable filter for CORSMiddleware

• tests(cors_middleware): add tests for dynamic origins

Summary of Changes

Allow passing a function to the CORSMiddleware for origin validation. This allows arbitrary validation like applying regexes etc.

Related Issues

I opened an issue regarding this feature request: #2050

Pull Request Checklist

This is just a reminder about the most common mistakes. Please make sure that you tick all appropriate boxes. But please read our contribution guide at least once; it will save you a few review cycles!

If an item doesn't apply to your pull request, check it anyway to make it apparent that there's nothing to do.

• [X ] Applied changes to both WSGI and ASGI code paths and interfaces (where applicable).
• [X ] Added tests for changed code.
• [X ] Prefixed code comments with GitHub nick and an appropriate prefix.
• [X ] Coding style is consistent with the rest of the framework.
• [X ] Updated documentation for changed code.
  • [X ] Added docstrings for any new classes, functions, or modules.
  • [X ] Updated docstrings for any modifications to existing code.
  • [X ] Updated both WSGI and ASGI docs (where applicable).
  • [X ] Added references to new classes, functions, or modules to the relevant RST file under docs/.
  • [X ] Updated all relevant supporting documentation files under docs/.
  • [X ] A copyright notice is included at the top of any new modules (using your own name or the name of your organization).
  • [X ] Changed/added classes/methods/functions have appropriate versionadded, versionchanged, or deprecated directives.
• [X ] Changes (and possible deprecations) have towncrier news fragments under docs/_newsfragments/, with the file name format {issue_number}.{fragment_type}.rst. (Run towncrier --draft to ensure it renders correctly.)

If you have any questions to any of the points above, just submit and ask! This checklist is here to help you, not to deter you from contributing!

PR template inspired by the attrs project.

[vytas7]

Thanks for this prototype @willnewton!

I'm admittedly a bit divided here though... 🤔 On the one hand, it would be a shame to say no a neat improvement like this, OTOH, we haven't made a decision on whether we want this feature in the framework itself or not. It's always better to discuss before building issues marked with the decision-needed label.

@CaselIT @kgriffs thoughts on including this feature?

[codecov]

Codecov Report

Merging #2052 (394758c) into master (130572d) will not change coverage.
The diff coverage is 100.00%.

@@            Coverage Diff            @@
##            master     #2052   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           63        63           
  Lines         6707      6721   +14     
  Branches      1238      1241    +3     
=========================================
+ Hits          6707      6721   +14     

Impacted Files	Coverage Δ
falcon/middleware.py	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 130572d...394758c. Read the comment docs.

[CaselIT]

I'm not against it, I would need to look at the implementation a bit more though.

[kgriffs]

IMO it would be fine to move forward with this. It affords additional use cases without the framework needing to implement and maintain explicit support for them.

[kgriffs]

I think we'll need an update to docs/api/cors.rst as well to better explain how to use the callable option, provide an example.

[kgriffs]

See above.

[kgriffs]

Should this be part of the public interface? It seems like it should be private (prefixed w/ an undescore), at least in the first release until we discover otherwise.

[kgriffs]

Style: prefix allow_origins_wildcard name with an underscore; I don't think there is any need to make this part of the public interface.

[kgriffs]

Style: prefix allow_origins_filter name with an underscore; I don't think there is any need to make this part of the public interface.

[vytas7]

IMO it would be fine to move forward with this. It affords additional use cases without the framework needing to implement and maintain explicit support for them.

Hm, not sure about this one @kgriffs. Maybe a better course of action could be breaking out that validation part to a public method of CORSMiddleware, and document an example how to subclass and override that? This is how some other parts of Falcon like media handlers are implemented too.

The async flavour could by default call the synchronous version directly, but it should be possible to do perform origin validation asynchronously too. Passing in a callable makes this somewhat trickier, or should we detect a coroutine function and act accordingly? Or just document it must be a sync function like in field converters?

[kgriffs]

@vytas7 I see your point. We should iterate on this design to make it more consistent with other parts of the framework.

[vytas7]

@willnewton I'm going to close this pull request for now, but we'll leave your issue (#2050) open for discussion on how to best implement this (or at least make it easy to customize).