Restrict API CORS and require CSRF tokens

[minyanyi]

Fixes #4614.

Summary:

• Remove the default wildcard Access-Control-Allow-Origin: * API response.
• Reflect CORS only for origins listed in RUSTCHAIN_API_ALLOWED_ORIGINS.
• Require X-RustChain-CSRF-Token to match RUSTCHAIN_API_CSRF_TOKEN for browser-origin state-changing POST paths.
• Add preflight handling and HTTP-level regression tests for CORS/CSRF behavior.

Verification:

• python -m pytest test_rpc_cors_csrf.py -q -> 4 passed
• git diff --check -> clean

wallet: minyanyi
payout address: 0x2E4380d2e1668Ca9fA3Ef91fF776FDc140Cf3fE8

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Your PR has a BCOS-L1 or BCOS-L2 label
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

[saim256]

The CORS/CSRF behavior covered by the focused tests passes locally, and the implementation does remove the default wildcard CORS response while requiring a CSRF token for browser-origin state-changing POSTs.

Blocking issues before merge:

1. test_rpc_cors_csrf.py is a new file without the repo-required SPDX header, so tools/bcos_spdx_check.py fails.
2. The test helper uses exec() to load rpc.py and urllib.request.urlopen(), which trips the repo's Bandit test scan with B102 and B310 findings.

Validation run:

python -m pytest test_rpc_cors_csrf.py -q
# 4 passed

python -m py_compile rips\rustchain-core\api\rpc.py test_rpc_cors_csrf.py
# passed

git diff --check origin/main...HEAD -- rips\rustchain-core\api\rpc.py test_rpc_cors_csrf.py
# passed

python tools\bcos_spdx_check.py --base-ref origin/main
# failed: add SPDX header to test_rpc_cors_csrf.py

python -m ruff check test_rpc_cors_csrf.py --select E9,F63,F7,F82
# All checks passed

python -m bandit -r test_rpc_cors_csrf.py --severity-level medium --confidence-level high -c pyproject.toml
# failed: B102 exec_used and B310 urllib urlopen findings

Please add the SPDX header and replace the test helper's exec()/urlopen() usage, or add narrowly justified repo-approved suppressions if maintainers prefer that style.

[jaxint]

LGTM! Thanks for contributing. Approved.

[godd-ctrl]

Follow-up approval after the latest commits.

The previous blockers appear addressed on the current head commit:

• test_rpc_cors_csrf.py now has the required SPDX header.
• The test loader now uses importlib.util instead of exec().
• The HTTP test helper now uses http.client.HTTPConnection instead of urllib.request.urlopen().
• The focused CORS/CSRF behavior still passes: default responses do not emit wildcard CORS, configured origins are reflected, browser-origin state-changing POSTs require a CSRF token, and valid CSRF tokens pass.

Validation I ran locally:

python -m pytest test_rpc_cors_csrf.py -q
# 4 passed

python -m py_compile rips\rustchain-core\api\rpc.py test_rpc_cors_csrf.py
# passed

git diff --check origin/main...HEAD -- rips/rustchain-core/api/rpc.py test_rpc_cors_csrf.py
# passed

python tools\bcos_spdx_check.py --base-ref origin/main
# BCOS SPDX check: OK

I could not rerun the exact Bandit command in this local Python environment because bandit is not installed, but the two concrete findings from the earlier review were removed from the diff. No additional blocker from this follow-up review.

[saim256]

Follow-up review after the test-helper and SPDX fixes: approved.

The earlier blockers I raised are resolved on current head:

• test_rpc_cors_csrf.py now has the required SPDX header.
• The test helper no longer triggers the previous high/medium Bandit findings for exec() and urlopen().
• The focused CORS/CSRF behavior still passes locally.

Validation run:

python -m pytest test_rpc_cors_csrf.py -q
4 passed in 2.12s

python -m py_compile rips\rustchain-core\api\rpc.py test_rpc_cors_csrf.py
passed

git diff --check origin/main...HEAD -- rips/rustchain-core/api/rpc.py test_rpc_cors_csrf.py
passed

python tools\bcos_spdx_check.py --base-ref origin/main
BCOS SPDX check: OK

python -m bandit -r test_rpc_cors_csrf.py --severity-level medium --confidence-level high -c pyproject.toml
No issues identified

I do not see a remaining blocker in this updated patch.

[jaxint]

LGTM! Thanks for contributing. Approved.

[jaxint]

LGTM! Thanks for contributing. Approved.

[jaxint]

LGTM! Thanks for contributing. Approved.

[jaxint]

LGTM! Thanks for contributing. Approved.

[jaxint]

LGTM! Thanks for contributing. Approved.

[jaxint]

LGTM! Thanks for contributing. Approved.

[jaxint]

Code review: LGTM! Thanks for contributing to RustChain. Approved.

[loganoe]

Reviewed the CORS/CSRF patch.

The default wildcard CORS header is removed, configured origins are reflected explicitly, preflight handling is added, and browser-origin state-changing POSTs require the configured X-RustChain-CSRF-Token. The HTTP-level tests cover no-wildcard behavior, allowed origin reflection, missing-token rejection, and valid-token acceptance.

Validation run:

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 /tmp/rustchain-flask-venv/bin/python -m pytest -q test_rpc_cors_csrf.py -> 4 passed
• /tmp/rustchain-flask-venv/bin/python -m py_compile rips/rustchain-core/api/rpc.py test_rpc_cors_csrf.py -> passed
• git diff --check origin/main...HEAD -- rips/rustchain-core/api/rpc.py test_rpc_cors_csrf.py -> passed

[TJCurnutte]

Hermes Agent review — APPROVED

I reviewed the diff for PR #4623: Restrict API CORS and require CSRF tokens

Validation proof

• git diff --check: PASS
• BCOS SPDX check: PASS
• added-line secret-pattern scan: PASS
• python py_compile: PASS
• focused changed-test pytest: PASS

Scope checked
rips/rustchain-core/api/rpc.py (+70/-4), test_rpc_cors_csrf.py (+142/-0)

Review note
The changed surface is bounded and the local gates above did not expose whitespace, SPDX, syntax, focused-test, or added-secret regressions. This approval is for the submitted diff at the reviewed head; payout/merge authority remains with the maintainers.

[jaxint]

LGTM! Thanks for contributing. Approved.

[Scottcjn]

Codex audit ✓ — this PR is approved for merge at high-tier (50 RTC) (Explicit origin allowlist plus CSRF token requirement for browser-origin POSTs in the core RPC API.).

Branch is currently behind main; rebase against latest tip and this'll merge.

[jaxint]

LGTM! Thanks for contributing. Approved.

[HCIE2054]

LGTM! Great contribution to the RustChain ecosystem. Thanks for keeping the codebase clean and well-tested. Approved ✅

[minyanyi]

Rebased this branch onto latest main and resolved the API RPC conflict with the existing RPC allowlist/CSRF changes. Fresh validation: python -m pytest tests/test_rustchain_core_api_cors.py test_rpc_cors_csrf.py -q (12 passed), python -m py_compile rips\\rustchain-core\\api\\rpc.py test_rpc_cors_csrf.py, and git diff --check.

[508704820]

Restrict API CORS and require CSRF tokens. Same as #4624. Verify both cover all API endpoints. - Xeophon (security review, CORS+CSRF)

[HCIE2054]

LGTM!

[minyanyi]

CI follow-up: I opened two small base-branch fixes for the current red checks that appear unrelated to this PR's CORS/CSRF changes:

• Fix rustchain-wallet dependency compatibility #5586 fixes the rustchain-wallet dependency drift causing fresh CI resolves to fail on sha2 0.11 / hmac 0.13 / getrandom 0.4 API mismatches.
• Install missing CI test dependencies #5587 adds missing test dependencies used during the blocking pytest tests/ collection phase.

This branch is still mergeable and the focused validation from the rebase remains: python -m pytest tests/test_rustchain_core_api_cors.py test_rpc_cors_csrf.py -q -> 12 passed.