fix(cors): handle wildcard origin with credentials and add unit tests

- Refactor CORS middleware to echo request origin when wildcard + credentials is configured (browsers reject Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true) - Add _is_origin_allowed() and _cors_origin_header() helpers - Use CORS_SUPPORTS_CREDENTIALS config consistently - Ensure consistent Access-Control-Allow-Headers in all CORS paths - Fix redirect validation in get_token() to allow wildcard CORS origins - Add 46 unit tests covering encryption round-trips, idempotency, key derivation, thread safety, CORS origin matching, and preflight responses
2026-04-26 01:12:39 +09:30
parent 9738765258
commit 60799bbc52
5 changed files with 555 additions and 37 deletions
@@ -246,7 +246,8 @@ def get_token():
        parsed_redirect = urlparse(redirect_url)
        redirect_origin = f"{parsed_redirect.scheme}://{parsed_redirect.netloc}"

-        if redirect_origin not in allowed_origins:
+        wildcard = "*" in allowed_origins
+        if not wildcard and redirect_origin not in allowed_origins:
            return api_response(success=False, message="Redirect URL is not allowed.", status=400, error_type="INVALID_REDIRECT")

        sep = "&" if "?" in redirect_url else "?"
@@ -1,6 +1,44 @@
 """CORS middleware configuration."""
 from flask import request, make_response

+ALLOWED_METHODS = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+ALLOWED_HEADERS = (
+    "Content-Type, Authorization, X-Requested-With, X-Request-ID, "
+    "Cache-Control, Pragma, X-WebAuthn-Session-Token"
+)
+
+
+def _is_origin_allowed(origin, cors_origins):
+    """Return True if the origin is permitted by the CORS config.
+
+    Handles both wildcard ("*") and explicit origin lists.
+    """
+    if not origin:
+        return False
+    if cors_origins == "*":
+        return True
+    if isinstance(cors_origins, list):
+        if "*" in cors_origins:
+            return True
+        return origin in cors_origins
+    return False
+
+
+def _cors_origin_header(cors_origins, request_origin):
+    """Return the value for Access-Control-Allow-Origin.
+
+    Per the CORS spec, browsers reject ``*`` when credentials are involved,
+    so we echo the request origin when wildcard + credentials is configured.
+    """
+    allow_all = cors_origins == "*" or (isinstance(cors_origins, list) and "*" in cors_origins)
+    if allow_all and request_origin:
+        return request_origin
+    if allow_all:
+        return "*"
+    if request_origin and request_origin in cors_origins:
+        return request_origin
+    return None
+

 def setup_cors(app):
    """
@@ -9,6 +47,7 @@ def setup_cors(app):
    Args:
        app: Flask application instance
    """
+    supports_credentials = app.config.get("CORS_SUPPORTS_CREDENTIALS", True)

    @app.before_request
    def handle_preflight():
@@ -16,49 +55,33 @@ def setup_cors(app):
        if request.method == "OPTIONS":
            origin = request.headers.get("Origin")
            cors_origins = app.config.get("CORS_ORIGINS", [])
-            
-            # Allow all origins if CORS_ORIGINS is "*" (string) or ["*"] (list with wildcard)
-            allow_all = cors_origins == "*" or (isinstance(cors_origins, list) and "*" in cors_origins)
-            
-            if allow_all:
-                response = make_response("", 204)
-                response.headers["Access-Control-Allow-Origin"] = "*"
-                response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-                response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Requested-With, X-Request-ID, Cache-Control, Pragma"
-                response.headers["Access-Control-Max-Age"] = "3600"
-                response.headers["Cache-Control"] = "no-cache, no-store"
-                return response
-            elif origin and origin in cors_origins:
-                response = make_response("", 204)
-                response.headers["Access-Control-Allow-Origin"] = origin
-                response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-                response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Requested-With, X-Request-ID, Cache-Control, Pragma, X-WebAuthn-Session-Token"
+
+            if not _is_origin_allowed(origin, cors_origins):
+                return None
+
+            response = make_response("", 204)
+            response.headers["Access-Control-Allow-Origin"] = _cors_origin_header(cors_origins, origin)
+            response.headers["Access-Control-Allow-Methods"] = ALLOWED_METHODS
+            response.headers["Access-Control-Allow-Headers"] = ALLOWED_HEADERS
+            if supports_credentials:
                response.headers["Access-Control-Allow-Credentials"] = "true"
-                response.headers["Access-Control-Max-Age"] = "3600"
-                response.headers["Cache-Control"] = "no-cache, no-store"
-                return response
+            response.headers["Access-Control-Max-Age"] = "3600"
+            response.headers["Cache-Control"] = "no-cache, no-store"
+            return response

    @app.after_request
    def after_request_cors(response):
-        """Add additional CORS headers if needed."""
+        """Add CORS headers to non-preflight responses."""
        origin = request.headers.get("Origin")
        cors_origins = app.config.get("CORS_ORIGINS", [])

-        # Allow all origins if CORS_ORIGINS is "*" (string) or ["*"] (list with wildcard)
-        allow_all = cors_origins == "*" or (isinstance(cors_origins, list) and "*" in cors_origins)
-        
-        if allow_all:
-            # When allowing all origins, set header to "*"
-            response.headers["Access-Control-Allow-Origin"] = "*"
-            response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-            response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Requested-With, X-Request-ID, Cache-Control, Pragma"
-            response.headers["Access-Control-Max-Age"] = "3600"
-        elif origin and origin in cors_origins:
-            # When allowing specific origins, echo the request origin
-            response.headers["Access-Control-Allow-Origin"] = origin
-            response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-            response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Requested-With, X-Request-ID, Cache-Control, Pragma, X-WebAuthn-Session-Token"
-            response.headers["Access-Control-Allow-Credentials"] = "true"
+        allow_origin = _cors_origin_header(cors_origins, origin)
+        if allow_origin:
+            response.headers["Access-Control-Allow-Origin"] = allow_origin
+            response.headers["Access-Control-Allow-Methods"] = ALLOWED_METHODS
+            response.headers["Access-Control-Allow-Headers"] = ALLOWED_HEADERS
+            if supports_credentials:
+                response.headers["Access-Control-Allow-Credentials"] = "true"
            response.headers["Access-Control-Max-Age"] = "3600"

        return response