LCORE-405: do not allow crendentials to be enabled for * origins

[tisnik]

Description

LCORE-405: do not allow crendentials to be enabled for * origins

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Related Tickets & Documents

• Related Issue #LCORE-405

Summary by CodeRabbit

• New Features
  • Added fail-fast validation for CORS settings: enabling credentials with a wildcard origin now produces a clear error with guidance.
• Bug Fixes
  • Safer default CORS behavior: credentials are disabled by default to prevent insecure configurations.
• Tests
  • Expanded CORS test coverage across explicit and wildcard origins, credential combinations, and error scenarios to ensure predictable behavior and clear messaging.

[coderabbitai]

Walkthrough

Updated CORSConfiguration: default allow_credentials set to False and added validation to reject "*" in allow_origins when allow_credentials is True. Unit tests were expanded and renamed to cover valid/invalid combinations and the new failure case.

Changes

Cohort / File(s)	Summary
CORS configuration validation update src/models/config.py	Changed default allow_credentials to False. Added check_cors_configuration to raise ValueError when allow_origins includes "*" with allow_credentials=True. Included spec/tutorial reference comment.
Unit tests adjustments tests/unit/models/test_config.py	Renamed existing test to test_cors_custom_configuration_v1. Added tests v2, v3, and improper configuration test to cover explicit origins with/without credentials and wildcard origins without credentials; assert ValueError on invalid combo.

Sequence Diagram(s)

sequenceDiagram
  participant App
  participant CORSConfiguration
  participant Validator as check_cors_configuration

  App->>CORSConfiguration: Initialize(config)
  CORSConfiguration->>Validator: Validate allow_origins & allow_credentials
  alt allow_credentials=True and "*" in allow_origins
    Validator-->>App: Raise ValueError
  else Valid combination
    Validator-->>App: Return OK
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• LCORE-405: configurable CORS settings #406 — Prior CORSConfiguration work; this PR directly modifies that behavior (default credentials and wildcard-origin validation).

Poem

A whisk of code, a hop of care,
No stars with secrets we now bear.
Credentials tucked, origins named,
The CORSy winds are now constrained.
I thump approval, ears held high—
Safe requests beneath the sky. 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/models/config.py (1)

43-47: Nit: improve error message spacing and grammar

Minor wording polish and consistent field name: add a space after the first sentence, use “cannot”, and “allow_origins”.

Apply:

-            raise ValueError(
-                "Invalid CORS configuration: allow_credentials can not be set to true when "
-                "allow origins contains '*' wildcard."
-                "Use explicit origins or disable credential."
-            )
+            raise ValueError(
+                "Invalid CORS configuration: allow_credentials cannot be set to true when "
+                "allow_origins contains '*' wildcard. "
+                "Use explicit origins or disable credentials."
+            )

Note: If you accept this wording change, update the test expectation accordingly (see test comment below).

tests/unit/models/test_config.py (1)

273-289: Exception type likely should be pydantic ValidationError instead of ValueError

Pydantic v2 wraps ValueError raised inside model validators into a ValidationError at instantiation time. Other tests in this suite already expect ValidationError for similar scenarios. Recommend aligning this test to expect ValidationError to avoid flakiness across environments.

Minimal change to align with pydantic behavior:

-    with pytest.raises(ValueError, match=expected):
+    with pytest.raises(ValidationError, match=expected):
         # allow_credentials can not be true when allow_origins contains '*'
         CORSConfiguration(
             allow_origins=["*"],
             allow_credentials=True,
             allow_methods=["foo_method", "bar_method", "baz_method"],
             allow_headers=["foo_header", "bar_header", "baz_header"],
         )

If you adopt the improved error message wording suggested in config.py, also update the expected string here:

-    expected = (
-        "Value error, Invalid CORS configuration: "
-        + "allow_credentials can not be set to true when allow origins contains '\\*' wildcard."
-        + "Use explicit origins or disable credential."
-    )
+    expected = (
+        "Value error, Invalid CORS configuration: "
+        + "allow_credentials cannot be set to true when allow_origins contains '\\*' wildcard. "
+        + "Use explicit origins or disable credentials."
+    )

If you prefer to keep the current message text, apply only the exception type change.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 62963c9 and b9ca231.

📒 Files selected for processing (2)

• src/models/config.py (1 hunks)
• tests/unit/models/test_config.py (2 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

tests/unit/models/test_config.py (1)

src/models/config.py (1)

• CORSConfiguration (27-48)

🔇 Additional comments (6)

src/models/config.py (2)

40-47: Correctly disallow credentials with wildcard origins

The validator enforces the CORS/Fetch constraint and matches the stated objective. Good fail-fast behavior.

---

33-33: Secure-by-default: Credentials disabled for CORS by default

I verified that changing allow_credentials to False only affects:

• src/app/main.py: the CORSMiddleware is now instantiated with allow_credentials=False by default.
• Tests in tests/unit/models/test_config.py either explicitly set allow_credentials or don’t assert on the default.

Please double-check that no existing clients rely on cookies or authorization headers being allowed in cross-origin requests before merging.

tests/unit/models/test_config.py (4)

223-223: Assert updated default explicitly

Asserting the new default keeps the regression guard for the secure-by-default change.

---

228-241: Custom config with explicit origins and credentials disabled: LGTM

Covers the permissive origins with non-credentialed case.

---

243-256: Explicit origins with credentials enabled: LGTM

Validates the positive path when no wildcard is used.

---

258-271: Wildcard origins with credentials disabled: LGTM

Validates the permissive default that remains compliant with the spec.