Page MenuHomeSoftware Heritage

D4441.id.diff
No OneTemporary

D4441.id.diff

diff --git a/swh/web/settings/common.py b/swh/web/settings/common.py
--- a/swh/web/settings/common.py
+++ b/swh/web/settings/common.py
@@ -274,7 +274,7 @@
JS_REVERSE_JS_MINIFY = False
CORS_ORIGIN_ALLOW_ALL = True
-CORS_URLS_REGEX = r"^/badge/.*$"
+CORS_URLS_REGEX = r"^/(badge|api)/.*$"
AUTHENTICATION_BACKENDS = [
"django.contrib.auth.backends.ModelBackend",
diff --git a/swh/web/tests/api/test_apiresponse.py b/swh/web/tests/api/test_apiresponse.py
--- a/swh/web/tests/api/test_apiresponse.py
+++ b/swh/web/tests/api/test_apiresponse.py
@@ -5,14 +5,21 @@
import json
+from corsheaders.middleware import ACCESS_CONTROL_ALLOW_ORIGIN
+from hypothesis import given
+
+from swh.model.identifiers import CONTENT, DIRECTORY, REVISION
from swh.web.api.apiresponse import (
compute_link_header,
filter_by_fields,
make_api_response,
transform,
)
+from swh.web.common.identifiers import gen_swhid
from swh.web.common.utils import reverse
from swh.web.tests.django_asserts import assert_contains
+from swh.web.tests.strategies import content, directory, revision
+from swh.web.tests.utils import check_http_get_response, check_http_post_response
def test_compute_link_header():
@@ -140,3 +147,28 @@
assert resp.status_code == 500
assert "traceback" in resp.data
assert "Traceback" in resp.data["traceback"]
+
+
+@given(content(), directory(), revision())
+def test_api_endpoints_have_cors_headers(client, content, directory, revision):
+ url = reverse("api-1-stat-counters")
+
+ resp = check_http_get_response(
+ client, url, status_code=200, http_origin="https://example.org"
+ )
+ assert ACCESS_CONTROL_ALLOW_ORIGIN in resp
+
+ swhids = [
+ gen_swhid(CONTENT, content["sha1_git"]),
+ gen_swhid(DIRECTORY, directory),
+ gen_swhid(REVISION, revision),
+ ]
+ url = reverse("api-1-known")
+ resp = client.options(url, HTTP_ORIGIN="https://example.org")
+ assert resp.status_code == 200
+ assert ACCESS_CONTROL_ALLOW_ORIGIN in resp
+
+ resp = resp = check_http_post_response(
+ client, url, data=swhids, status_code=200, http_origin="https://example.org"
+ )
+ assert ACCESS_CONTROL_ALLOW_ORIGIN in resp
diff --git a/swh/web/tests/utils.py b/swh/web/tests/utils.py
--- a/swh/web/tests/utils.py
+++ b/swh/web/tests/utils.py
@@ -71,6 +71,7 @@
status_code: int,
content_type: str = "*/*",
data: Optional[Dict[str, Any]] = None,
+ http_origin: Optional[str] = None,
) -> HttpResponse:
"""Helper function to check HTTP response for a POST request.
@@ -86,7 +87,11 @@
"""
return _assert_http_response(
response=client.post(
- url, data=data, content_type="application/json", HTTP_ACCEPT=content_type,
+ url,
+ data=data,
+ content_type="application/json",
+ HTTP_ACCEPT=content_type,
+ HTTP_ORIGIN=http_origin,
),
status_code=status_code,
content_type=content_type,

File Metadata

Mime Type
text/plain
Expires
Mon, Nov 18, 10:21 PM (20 h, 51 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3221844

Event Timeline