From 01581494431e23982d82ef0d2d309d54603c094d Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Fri, 24 Jan 2020 14:36:48 -0500 Subject: [PATCH 01/11] Add decouple to settings and add CORS params. --- ebdjango/settings.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index 23fdb08..c8f2dc0 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -11,6 +11,8 @@ https://docs.djangoproject.com/en/1.10/ref/settings/ """ import os +from corsheaders.defaults import default_headers +from decouple import config SETTINGS_PATH = os.path.dirname(os.path.dirname(__file__)) @@ -38,6 +40,12 @@ if os.environ['ENVIRONMENT'] == 'local': ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', 'localhost').split(',') +if os.environ['ENVIRONMENT'] == 'local': + CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) + CORS_ALLOW_HEADERS = list(default_headers) + [ + 'x-blocpower-app-key', + 'x-blocpower-auth0-token' + ] # Application definition INSTALLED_APPS = [ @@ -62,8 +70,8 @@ INSTALLED_APPS = [ ] MIDDLEWARE = [ - 'django.middleware.csrf.CsrfViewMiddleware', 'corsheaders.middleware.CorsMiddleware', + 'django.middleware.csrf.CsrfViewMiddleware', 'django.middleware.common.CommonMiddleware', 'ebdjango.middleware.BasicAuthMiddleware', 'django.middleware.security.SecurityMiddleware', -- GitLab From 342ca7eebf88dd7d67d71026ce238a5e18ff29b5 Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Fri, 24 Jan 2020 14:42:11 -0500 Subject: [PATCH 02/11] Add Csv to import. --- ebdjango/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index c8f2dc0..74270ad 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -12,7 +12,7 @@ https://docs.djangoproject.com/en/1.10/ref/settings/ import os from corsheaders.defaults import default_headers -from decouple import config +from decouple import config, Csv SETTINGS_PATH = os.path.dirname(os.path.dirname(__file__)) -- GitLab From aa24ee2c42360987b8de2772bb0a5723e3674886 Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Fri, 24 Jan 2020 15:10:01 -0500 Subject: [PATCH 03/11] Make sure to use CORS_ORIGIN_WHITELIST in other environments as well. --- ebdjango/settings.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index 74270ad..7d605a6 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -46,6 +46,8 @@ if os.environ['ENVIRONMENT'] == 'local': 'x-blocpower-app-key', 'x-blocpower-auth0-token' ] +else: + CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) # Application definition INSTALLED_APPS = [ -- GitLab From a27740498bb539530e755f3ec450ac717184c5c6 Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Fri, 31 Jan 2020 13:32:49 -0500 Subject: [PATCH 04/11] Add new environment variable? --- .env.default | 1 + 1 file changed, 1 insertion(+) diff --git a/.env.default b/.env.default index cb3f63a..aa39b73 100644 --- a/.env.default +++ b/.env.default @@ -31,3 +31,4 @@ export SAMPLE_REPORT_URL= export DJANGO_SETTINGS_MODULE= export DEBUG= export ALLOWED_HOSTS= +export CORS_ORIGIN_WHITELIST= -- GitLab From 9e49ad2e43cb77dbf20c4a6bfd90b378855f4293 Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Fri, 31 Jan 2020 13:55:00 -0500 Subject: [PATCH 05/11] Add headers for CORS in dev as well. --- ebdjango/settings.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index 7d605a6..7807a98 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -48,6 +48,10 @@ if os.environ['ENVIRONMENT'] == 'local': ] else: CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) + CORS_ALLOW_HEADERS = list(default_headers) + [ + 'x-blocpower-app-key', + 'x-blocpower-auth0-token' + ] # Application definition INSTALLED_APPS = [ -- GitLab From 52edac0672b461ecc126b076184fd5b6deee360f Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Fri, 31 Jan 2020 14:48:57 -0500 Subject: [PATCH 06/11] Add CORS_ORIGIN_ALLOW_ALL = False to make sure that it is false. --- ebdjango/settings.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index 7807a98..1334726 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -41,12 +41,14 @@ if os.environ['ENVIRONMENT'] == 'local': ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', 'localhost').split(',') if os.environ['ENVIRONMENT'] == 'local': + CORS_ORIGIN_ALLOW_ALL = False CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) CORS_ALLOW_HEADERS = list(default_headers) + [ 'x-blocpower-app-key', 'x-blocpower-auth0-token' ] else: + CORS_ORIGIN_ALLOW_ALL = False CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) CORS_ALLOW_HEADERS = list(default_headers) + [ 'x-blocpower-app-key', -- GitLab From 28f3e9b67f550feb209312c3e43b6e8839d4ff49 Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Fri, 31 Jan 2020 15:58:31 -0500 Subject: [PATCH 07/11] Add CSRF trusted origins. --- ebdjango/settings.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index 1334726..d35b64e 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -54,6 +54,9 @@ else: 'x-blocpower-app-key', 'x-blocpower-auth0-token' ] + CSRF_TRUSTED_ORIGINS = [ + 'localhost' + ] # Application definition INSTALLED_APPS = [ -- GitLab From d0e1450f54e499fde2ba21bab99731991880d85f Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Fri, 31 Jan 2020 16:06:51 -0500 Subject: [PATCH 08/11] Replace headers. --- ebdjango/settings.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index d35b64e..5737aa6 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -47,6 +47,7 @@ if os.environ['ENVIRONMENT'] == 'local': 'x-blocpower-app-key', 'x-blocpower-auth0-token' ] + CORS_REPLACE_HTTPS_REFERER = True else: CORS_ORIGIN_ALLOW_ALL = False CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) @@ -57,6 +58,7 @@ else: CSRF_TRUSTED_ORIGINS = [ 'localhost' ] + CORS_REPLACE_HTTPS_REFERER = True # Application definition INSTALLED_APPS = [ -- GitLab From 2373b572716fcfd4d08e2a9e46d80532515b7294 Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Fri, 31 Jan 2020 17:05:31 -0500 Subject: [PATCH 09/11] Change CORS origin to allow all. --- ebdjango/settings.py | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index 5737aa6..2d9a412 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -43,21 +43,13 @@ ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', 'localhost').split(',') if os.environ['ENVIRONMENT'] == 'local': CORS_ORIGIN_ALLOW_ALL = False CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) - CORS_ALLOW_HEADERS = list(default_headers) + [ - 'x-blocpower-app-key', - 'x-blocpower-auth0-token' - ] CORS_REPLACE_HTTPS_REFERER = True else: - CORS_ORIGIN_ALLOW_ALL = False - CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) - CORS_ALLOW_HEADERS = list(default_headers) + [ - 'x-blocpower-app-key', - 'x-blocpower-auth0-token' - ] - CSRF_TRUSTED_ORIGINS = [ - 'localhost' - ] + CORS_ORIGIN_ALLOW_ALL = True + # CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) + # CSRF_TRUSTED_ORIGINS = [ + # 'localhost' + # ] CORS_REPLACE_HTTPS_REFERER = True # Application definition -- GitLab From c4fc1286f4c74456bad6a03796e96f62084aa7be Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Thu, 6 Feb 2020 16:21:30 -0500 Subject: [PATCH 10/11] Add post csrf middleware and allow all origins when running locally. --- ebdjango/settings.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index 2d9a412..ccf1727 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -41,15 +41,11 @@ if os.environ['ENVIRONMENT'] == 'local': ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', 'localhost').split(',') if os.environ['ENVIRONMENT'] == 'local': - CORS_ORIGIN_ALLOW_ALL = False - CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) + CORS_ORIGIN_ALLOW_ALL = True CORS_REPLACE_HTTPS_REFERER = True else: CORS_ORIGIN_ALLOW_ALL = True - # CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) - # CSRF_TRUSTED_ORIGINS = [ - # 'localhost' - # ] + CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) CORS_REPLACE_HTTPS_REFERER = True # Application definition @@ -77,6 +73,7 @@ INSTALLED_APPS = [ MIDDLEWARE = [ 'corsheaders.middleware.CorsMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', + 'corsheaders.middleware.CorsPostCsrfMiddleware', 'django.middleware.common.CommonMiddleware', 'ebdjango.middleware.BasicAuthMiddleware', 'django.middleware.security.SecurityMiddleware', -- GitLab From a9711402a1a10eb20e88db86d57c872cf5e80039 Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Thu, 6 Feb 2020 17:56:23 -0500 Subject: [PATCH 11/11] Make allow all origins false in dev, staging, and production. --- ebdjango/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ebdjango/settings.py b/ebdjango/settings.py index ccf1727..5860005 100644 --- a/ebdjango/settings.py +++ b/ebdjango/settings.py @@ -44,7 +44,7 @@ if os.environ['ENVIRONMENT'] == 'local': CORS_ORIGIN_ALLOW_ALL = True CORS_REPLACE_HTTPS_REFERER = True else: - CORS_ORIGIN_ALLOW_ALL = True + CORS_ORIGIN_ALLOW_ALL = False CORS_ORIGIN_WHITELIST = config('CORS_ORIGIN_WHITELIST', cast=Csv()) CORS_REPLACE_HTTPS_REFERER = True # Application definition -- GitLab