Merge pull request #162 from FEWS-NET/HEA-738/Update-CORS-for-HEA

Add cors lib and related settings see HEA-738

Author: rhunwicks

hea/settings/base.py

@@ -108,6 +108,7 @@
     "django_extensions",
     "rest_framework_gis",
     "revproxy",
+    "corsheaders",
 ]
 PROJECT_APPS = ["common", "metadata", "baseline"]
 INSTALLED_APPS = EXTERNAL_APPS + PROJECT_APPS
@@ -116,6 +117,7 @@
     "django.middleware.gzip.GZipMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "whitenoise.middleware.WhiteNoiseMiddleware",
+    "corsheaders.middleware.CorsMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.locale.LocaleMiddleware",
     "common.middleware.language.LanguageMiddleware",
@@ -153,6 +155,19 @@
     "SEARCH_PARAM": "search",
 }
 
+
+########## CORS CONFIGURATION
+# See: https://github.com/ottoyiu/django-cors-headers
+CORS_ALLOWED_ORIGINS = env.list("CORS_ALLOWED_ORIGINS", default=[])
+CORS_ALLOWED_ORIGIN_REGEXES = env.list("CORS_ALLOWED_ORIGIN_REGEXES", default=[])
+# when CORS_ALLOW_CREDENTIALS is True, it is not allowed to use
+# the wildcard / CORS_ALLOW_ALL_ORIGINS
+CORS_ALLOW_ALL_ORIGINS = False if (CORS_ALLOWED_ORIGINS or CORS_ALLOWED_ORIGIN_REGEXES) else True
+CORS_ALLOW_CREDENTIALS = True if (CORS_ALLOWED_ORIGINS or CORS_ALLOWED_ORIGIN_REGEXES) else False
+
+CSRF_TRUSTED_ORIGINS = env.list("CSRF_TRUSTED_ORIGINS", default=[])
+########## End CORS CONFIGURATION
+
 ROOT_URLCONF = "hea.urls"
 
 TEMPLATES = [

requirements/base.txt

@@ -6,6 +6,7 @@ dagster-postgres==0.27.7
 dagster-webserver==1.11.7
 Django==5.2.6
 django-binary-database-files==1.0.18
+django-cors-headers==4.9.0
 django-environ==0.11.2
 django-extensions==3.2.3
 django-filter==23.5