Make it easier to re-use CSRF protection for custom web handlers #1966
Labels
A-http
Area: HTTP frontend
C-enhancement
Category: A PR with an enhancement or an issue with an enhancement proposal
Right now to make use of the
http.csrf_protection
andhttp.allowed_origins
settings in extensions, a decent chunk of code must be duplicated. Most of this duplication comes frommopidy.http.handlers:JsonRpcHandler
. There's also some configuration handling inmopidy.http.handlers:make_mopidy_app_factory
.To avoid duplication in web handlers, I think it would be pretty simple to factor out the code that isn't specific to the actual request-handling logic into a new base class to be re-used. If we were feeling generous, we could even provide a JSON-specific subclass of this handler.
There are a couple of options I can see for de-duplicating the configuration handling effort.
Option 1: Localise the effort in
mopidy.http.actor:HttpServer
HttpServer.run
(or one of the methods it calls), check (and potentially warn about) the value of thecsrf_protection
setting, and normalise the value(s) ofallowed_origins
.http:app
factories as part of a "general HTTP settings" object, so that they can be passed to the handlers themselves.This has the benefit of being a rather limited set of changes. However, it would require some special handling for existing
http:app
factories to avoid breaking backwards-compatibility.Option 2: Make configuration loading more powerful
Instead of relying on individual extensions to normalise configuration themselves inside of actor code, it would be nice if arbitrary transformations and other normalisation could be performed by the configuration loading mechanism.
This is kind of what I'm envisaging to automatically sanitise the list of allowed origins:
You would then make use of it like so:
This approach would be fully backwards-compatible, and has the benefit of making the
List
config type more generic. However, this is probably a slightly bigger change than option 1 that would probably require its own issue to ensure the side-effects of this kind of change are better understood.The text was updated successfully, but these errors were encountered: