major checkpoint

2026-01-08 15:59:53 +10:30
parent 211854ca0a
commit 5e060f267d
33 changed files with 8088 additions and 43 deletions
@@ -1,17 +1,40 @@
 """CORS middleware configuration."""
-from flask import request
+from flask import request, make_response


-def setup_cors(app, cors):
+def setup_cors(app):
    """
    Configure CORS for the application.

    Args:
        app: Flask application instance
-        cors: Flask-CORS instance
    """
-    # CORS is already initialized in extensions.py
-    # This function provides additional configuration if needed
+
+    @app.before_request
+    def handle_preflight():
+        """Handle CORS preflight OPTIONS requests."""
+        if request.method == "OPTIONS":
+            origin = request.headers.get("Origin")
+            cors_origins = app.config.get("CORS_ORIGINS", [])
+            
+            # Allow all origins if CORS_ORIGINS is "*" (string) or ["*"] (list with wildcard)
+            allow_all = cors_origins == "*" or (isinstance(cors_origins, list) and "*" in cors_origins)
+            
+            if allow_all:
+                response = make_response("", 204)
+                response.headers["Access-Control-Allow-Origin"] = "*"
+                response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+                response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Request-ID"
+                response.headers["Access-Control-Max-Age"] = "3600"
+                return response
+            elif origin and origin in cors_origins:
+                response = make_response("", 204)
+                response.headers["Access-Control-Allow-Origin"] = origin
+                response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+                response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Request-ID"
+                response.headers["Access-Control-Allow-Credentials"] = "true"
+                response.headers["Access-Control-Max-Age"] = "3600"
+                return response

    @app.after_request
    def after_request_cors(response):
@@ -19,11 +42,21 @@ def setup_cors(app, cors):
        origin = request.headers.get("Origin")
        cors_origins = app.config.get("CORS_ORIGINS", [])

-        # Allow all origins in development if CORS_ORIGINS is "*"
-        if cors_origins == "*" or origin in cors_origins:
-            response.headers["Access-Control-Allow-Origin"] = origin if cors_origins != "*" else "*"
+        # Allow all origins if CORS_ORIGINS is "*" (string) or ["*"] (list with wildcard)
+        allow_all = cors_origins == "*" or (isinstance(cors_origins, list) and "*" in cors_origins)
+        
+        if allow_all:
+            # When allowing all origins, set header to "*"
+            response.headers["Access-Control-Allow-Origin"] = "*"
            response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
            response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Request-ID"
            response.headers["Access-Control-Max-Age"] = "3600"
+        elif origin and origin in cors_origins:
+            # When allowing specific origins, echo the request origin
+            response.headers["Access-Control-Allow-Origin"] = origin
+            response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+            response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Request-ID"
+            response.headers["Access-Control-Allow-Credentials"] = "true"
+            response.headers["Access-Control-Max-Age"] = "3600"

        return response