made testing CORS much stricter and added configfile support for the …

…cors_origins setting

aw_server/config.py

@@ -6,12 +6,14 @@
 default_config["server"] = {
     "host": "localhost",
     "port": "5600",
-    "storage": "peewee"
+    "storage": "peewee",
+    "cors_origins": ""
 }
 default_config["server-testing"] = {
     "host": "localhost",
     "port": "5666",
-    "storage": "peewee"
+    "storage": "peewee",
+    "cors_origins": ""
 }
 
 config = load_config("aw-server", default_config)

aw_server/main.py

@@ -36,8 +36,6 @@ def main():
 def parse_settings():
     import argparse
 
-    storage_methods = get_storage_methods()
-
     """ CLI Arguments """
     parser = argparse.ArgumentParser(description='Starts an ActivityWatch server')
     parser.add_argument('--testing',
@@ -60,8 +58,7 @@ def parse_settings():
                         help='The method to use for storing data. Some methods (such as MongoDB) require specific Python packages to be available (in the MongoDB case: pymongo)')
     parser.add_argument('--cors-origins',
                         dest='cors_origins',
-                        default='',
-                        help='Additional CORS origins to allow (as a comma separated list)')
+                        help='CORS origins to allow (as a comma separated list)')
     args = parser.parse_args()
 
     """ Parse config file """
@@ -70,12 +67,16 @@ def parse_settings():
     settings.host = config[configsection]["host"]
     settings.port = config[configsection].getint("port")
     settings.storage = config[configsection]["storage"]
+    settings.cors_origins = config[configsection]["cors_origins"]
 
     """ If a argument is not none, override the config value """
     for key, value in vars(args).items():
         if value is not None:
             vars(settings)[key] = value
 
     settings.cors_origins = [o for o in settings.cors_origins.split(',') if o]
+
+    storage_methods = get_storage_methods()
     storage_method = storage_methods[settings.storage]
+
     return settings, storage_method

aw_server/server.py

@@ -44,21 +44,25 @@ def static_js(path):
     return send_from_directory(static_folder + '/js', path)
 
 
-# Only to be called from aw_server.main function!
-def _start(storage_method, host: str, port: int, testing: bool=False, cors_origins: List[str] = []):
+def _config_cors(cors_origins: List[str], testing: bool):
+    if cors_origins:
+        logger.warning('Running with additional allowed CORS origins specified through config or CLI argument (could be a security risk): {}'.format(cors_origins))
+
     if testing:
-        # CORS won't be supported in non-testing mode until we fix our authentication
-        logger.warning("CORS is enabled when ran in testing mode, don't store any sensitive data when running in testing mode!")
-        origins = "*"
-    else:
-        # TODO: This could probably be more specific
-        #       See https://github.com/ActivityWatch/aw-server/pull/43#issuecomment-386888769
-        origins = "moz-extension://*"
-        if cors_origins:
-            origins += ',' + ','.join(cors_origins)
-            logger.warning('Running with extra CORS origins: {}'.format(origins))
+        # Used for development of aw-webui
+        cors_origins.append("127.0.0.1:27180")
+
+    # TODO: This could probably be more specific
+    #       See https://github.com/ActivityWatch/aw-server/pull/43#issuecomment-386888769
+    cors_origins.append("moz-extension://*")
+
     # See: https://flask-cors.readthedocs.org/en/latest/
-    CORS(app, resources={r"/api/*": {"origins": origins}})
+    CORS(app, resources={r"/api/*": {"origins": cors_origins}})
+
+
+# Only to be called from aw_server.main function!
+def _start(storage_method, host: str, port: int, testing: bool=False, cors_origins: List[str] = []):
+    _config_cors(cors_origins, testing)
 
     # Only pretty-print JSON if in testing mode (because of performance)
     app.config["JSONIFY_PRETTYPRINT_REGULAR"] = testing