Merge pull request #380 from multinet-app/cors-refinement

Enable cross-origin credential transfer to login API

.env.default

@@ -14,6 +14,10 @@ GOOGLE_CLIENT_SECRET=
 # Will be set automatically by the server
 FLASK_SECRET_KEY=
 
+# Comma separated list of domains that will be allowed to send cookies to the
+# server.
+ALLOWED_ORIGINS=http://localhost:8080
+
 ARANGO_HOST=localhost
 ARANGO_PORT=8529
 ARANGO_PROTOCOL=http

multinet/__init__.py

@@ -7,7 +7,7 @@
 from flasgger import Swagger
 from sentry_sdk.integrations.flask import FlaskIntegration
 
-from typing import Optional, MutableMapping, Any, Tuple, Union
+from typing import Optional, MutableMapping, Any, Tuple, Union, List
 
 from multinet import auth
 from multinet.auth import google
@@ -21,10 +21,21 @@
 sentry_sdk.init(dsn=sentry_dsn, integrations=[FlaskIntegration()])
 
 
+def get_allowed_origins() -> List[str]:
+    """Read in comma-separated list of allowed origins from environment."""
+    allowed_origins = os.getenv("ALLOWED_ORIGINS", default=None)
+    if allowed_origins is None:
+        return []
+
+    return [s.strip() for s in allowed_origins.split(",")]
+
+
 def create_app(config: Optional[MutableMapping] = None) -> Flask:
     """Create a Multinet app instance."""
     app = Flask(__name__)
-    CORS(app)
+
+    allowed_origins = get_allowed_origins()
+    CORS(app, origins=allowed_origins, supports_credentials=True)
     Swagger(app, template_file="swagger/template.yaml")
 
     app.secret_key = flask_secret_key()

mypy_stubs/flask_cors.pyi

@@ -1,3 +1,10 @@
 from flask import Flask
 
-def CORS(app: Flask) -> None: ...
+from typing import Dict, Any, List, Union
+
+def CORS(
+    app: Flask,
+    origins: Union[str, List[str]],
+    supports_credentials: bool,
+    resources: Dict[str, Dict[str, Any]] = None,
+) -> None: ...