issue 53 - Allow SITE_URL to be a string or a list

.gitignore

@@ -2,7 +2,7 @@
 test.db
 /build/
 /dist/
-/django_browserid.egg-info/
+django_browserid.egg-info/
 docs/_build
 MANIFEST
 .DS_Store

django_browserid/base.py

@@ -39,34 +39,42 @@ def get_audience(request):
 
        This is *not* secure!
 
-    2. Otherwise, settings.SITE_URL is compared with the request
-       domain and will raise an ImproperlyConfigured error if they
-       don't match.
+    2. Otherwise, settings.SITE_URL is checked for the request
+       domain and an ImproperlyConfigured error is raised if it
+       is not found.
 
     Examples of settings.SITE_URL::
 
         SITE_URL = 'http://127.0.0.1:8001'
         SITE_URL = 'https://example.com'
         SITE_URL = 'http://example.com'
+        SITE_URL = [
+            'http://127.0.0.1:8001',
+            'https://example.com',
+            'http://example.com'
+        ]
 
     """
     req_proto = 'https://' if request.is_secure() else 'http://'
     req_domain = request.get_host()
     req_url = '%s%s' % (req_proto, req_domain)
-
-    site_url = getattr(settings, 'SITE_URL', False)
+    site_url = getattr(settings, 'SITE_URL', None)
     if not site_url:
         if settings.DEBUG:
-            site_url = req_url
+            return req_url
         else:
             raise ImproperlyConfigured('`SITE_URL` must be set. See '
                                        'documentation for django-browserid')
-
-    if site_url != req_url:
-        raise ImproperlyConfigured('SITE_URL incorrect. Setting is `{0}`, but '
-                                   'request was `{1}`'
-                                   .format(site_url, req_url))
-    return site_url
+    if isinstance(site_url, str):
+        site_url = [site_url]
+    try:
+        url_iterator = iter(site_url)
+    except TypeError:
+        raise ImproperlyConfigured('`SITE_URL` is not a string or an iterable')
+    if req_url not in url_iterator:
+        raise ImproperlyConfigured('request `{0}`, was not found in SITE_URL `{1}`'
+                                   .format(req_url, site_url))
+    return req_url
 
 
 def _verify_http_request(url, data):

django_browserid/tests/test_base.py

@@ -30,6 +30,12 @@ def test_properly_configured(self):
         request = self.factory.post('/', SERVER_NAME='example.com')
         self.assertEqual('http://example.com', get_audience(request))
 
+    @patch_settings(SITE_URL=['http://example1.com', 'http://example2.com'])
+    def test_iterable(self):
+        # Return correct url from iterable SITE_URL, if it contains request URL.
+        request = self.factory.post('/', SERVER_NAME='example2.com')
+        self.assertEqual('http://example2.com', get_audience(request))
+
     @patch_settings(DEBUG=True)
     def test_no_site_url(self):
         # If SITE_URL isn't set, use the domain from the request.

docs/details/settings.rst

@@ -14,6 +14,8 @@ Core Settings
    Domain and protocol used to access your site. BrowserID uses this value to
    determine if an assertion was meant for your site.
 
+   Can be a string or an iterable of strings.
+
    Note that this does not have to be a publicly accessible URL, so local URLs
    like ``localhost:8000`` or ``127.0.0.1`` are acceptable as long as they match
    what you are using to access your site.

docs/setup.rst

@@ -35,8 +35,14 @@ To use ``django-browserid``, you'll need to make a few changes to your
        # ...
     )
 
+    # Set your site url for security
+    SITE_URL = 'https://example.com'
+
 .. note:: BrowserID uses an assertion and an audience to verify the user. This
-   ``SITE_URL`` is used to determine the audience. For security reasons, it is
+   ``SITE_URL`` is used to determine the audience. It can be a string or an
+   iterable of strings.
+
+   For security reasons, it is
    *very important* that you set ``SITE_URL`` correctly.
 
 .. note:: ``TEMPLATE_CONTEXT_PROCESSORS`` is not in the settings file by