coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(cors): handle wildcard origin with credentials and add unit tests

Browse Source 
- Refactor CORS middleware to echo request origin when wildcard + credentials
  is configured (browsers reject Access-Control-Allow-Origin: * with
  Access-Control-Allow-Credentials: true)
- Add _is_origin_allowed() and _cors_origin_header() helpers
- Use CORS_SUPPORTS_CREDENTIALS config consistently
- Ensure consistent Access-Control-Allow-Headers in all CORS paths
- Fix redirect validation in get_token() to allow wildcard CORS origins
- Add 46 unit tests covering encryption round-trips, idempotency, key
  derivation, thread safety, CORS origin matching, and preflight responses
This commit is contained in:
Cory Hawklvelt
2026-04-26 01:12:39 +09:30
parent 9738765258
commit 60799bbc52
5 changed files with 555 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
gatehouse_app/api/v1/auth/core.py
+2 -1
View File
@@ -246,7 +246,8 @@ def get_token():
parsed_redirect = urlparse(redirect_url)
redirect_origin = f"{parsed_redirect.scheme}://{parsed_redirect.netloc}"
if redirect_origin not in allowed_origins:
wildcard = "*" in allowed_origins
if not wildcard and redirect_origin not in allowed_origins:
return api_response(success=False, message="Redirect URL is not allowed.", status=400, error_type="INVALID_REDIRECT")
sep = "&" if "?" in redirect_url else "?"