Fix projects API

Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io>

Assisted by [OpenAI](https://platform.openai.com/)

Assisted by [GitHub Copilot](https://github.com/features/copilot)

Author: lukaszgryglicki

cla-backend-legacy/internal/api/handlers.go

@@ -5362,15 +5362,15 @@ func (h *Handlers) GetProjectV2(w http.ResponseWriter, r *http.Request) {
 			standalone := false
 			lfSupported := false
 			if projectSFID != "" && h.salesforce != nil {
-				standalone, err = h.salesforce.IsStandaloneProject(ctx, projectSFID)
-				if err != nil {
-					respond.JSON(w, http.StatusInternalServerError, map[string]any{"errors": map[string]any{"project_id": err.Error()}})
-					return
+				if v, psErr := h.salesforce.IsStandaloneProject(ctx, projectSFID); psErr != nil {
+					logging.Warnf("get_project: unable to compute standalone_project for project_sfid=%s: %v", projectSFID, psErr)
+				} else {
+					standalone = v
 				}
-				lfSupported, err = h.salesforce.IsLFSupportedProject(ctx, projectSFID)
-				if err != nil {
-					respond.JSON(w, http.StatusInternalServerError, map[string]any{"errors": map[string]any{"project_id": err.Error()}})
-					return
+				if v, psErr := h.salesforce.IsLFSupportedProject(ctx, projectSFID); psErr != nil {
+					logging.Warnf("get_project: unable to compute lf_supported for project_sfid=%s: %v", projectSFID, psErr)
+				} else {
+					lfSupported = v
 				}
 			}
 			md["standalone_project"] = standalone

cla-backend-legacy/internal/legacy/salesforce/service.go

@@ -326,15 +326,20 @@ func (s *Service) getAccessToken(ctx context.Context) (string, int, error) {
 func (s *Service) IsStandaloneProject(ctx context.Context, projectSFID string) (bool, error) {
 	project, err := s.getProjectDetailByID(ctx, projectSFID)
 	if err != nil {
-		return false, err
+		//return false, err
+		// Python ProjectService.get_project_by_id() returns None on downstream
+		// project-service HTTP errors; is_standalone() then returns False.
+		return false, nil
 	}
 	if project == nil {
 		return false, nil
 	}
 
 	parentName := s.getParentName(project)
 	if parentName == nil {
-		return false, nil
+		//return false, nil
+		// Python: parent_name is None => standalone.
+		return true, nil
 	}
 	if *parentName == TheLinuxFoundation || *parentName == LFProjectsLLC {
 		if len(project.Projects) == 0 {
@@ -350,7 +355,10 @@ func (s *Service) IsStandaloneProject(ctx context.Context, projectSFID string) (
 func (s *Service) IsLFSupportedProject(ctx context.Context, projectSFID string) (bool, error) {
 	project, err := s.getProjectDetailByID(ctx, projectSFID)
 	if err != nil {
-		return false, err
+		//return false, err
+		// Python ProjectService.get_project_by_id() returns None on downstream
+		// project-service HTTP errors; is_lf_supported() then returns False.
+		return false, nil
 	}
 	if project == nil {
 		return false, nil
@@ -379,13 +387,19 @@ func (s *Service) getProjectDetailByID(ctx context.Context, projectID string) (*
 		return nil, &AuthFailureError{Status: status, Cause: err}
 	}
 
-	// Use the same endpoint as GetProject but with a different struct for full details
-	projectURL := fmt.Sprintf("%s/project-service/v2/projects/%s", s.platformGatewayURL, url.QueryEscape(projectID))
+	base := strings.TrimRight(s.platformGatewayURL, "/")
+	if base == "" {
+		return nil, errors.New("PLATFORM_GATEWAY_URL is empty")
+	}
+
+	// Legacy Python uses /project-service/v1/projects/{project_id}.
+	projectURL := fmt.Sprintf("%s/project-service/v1/projects/%s", base, url.PathEscape(projectID))
 	req, err := http.NewRequestWithContext(ctx, "GET", projectURL, nil)
 	if err != nil {
 		return nil, err
 	}
-	req.Header.Set("Authorization", "Bearer "+accessToken)
+	// req.Header.Set("Authorization", "Bearer "+accessToken)
+	req.Header.Set("Authorization", "bearer "+accessToken)
 	req.Header.Set("Accept", "application/json")
 
 	resp, err := s.httpClient.Do(req)
@@ -395,11 +409,9 @@ func (s *Service) getProjectDetailByID(ctx context.Context, projectID string) (*
 	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(io.LimitReader(resp.Body, 8192))
-		return nil, &ProjectServiceError{
-			Status: resp.StatusCode,
-			Cause:  fmt.Errorf("project-service GET project status %d: %s", resp.StatusCode, string(body)),
-		}
+		// Legacy Python catches HTTPError and returns None.
+		_, _ = io.Copy(io.Discard, io.LimitReader(resp.Body, 8192))
+		return nil, nil
 	}
 
 	var project ProjectDetail

cla-backend-legacy/internal/middleware/cors.go

@@ -6,47 +6,90 @@ package middleware
 import (
 	"encoding/json"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 	"sync"
 )
 
 // CORS is a simple "always add CORS headers" middleware.
 // The legacy Python backend sets these headers in response middleware.
-
 var (
 	allowedOriginsOnce sync.Once
 	allowedOrigins     []string
 	allowAllOrigins    bool
 )
 
+func normalizeAllowedOrigin(raw string) string {
+	raw = strings.TrimSpace(strings.Trim(raw, "\"'"))
+	if raw == "" || raw == "*" {
+		return raw
+	}
+
+	// CLA_CONTRIBUTOR_BASE / CLA_CONTRIBUTOR_V2_BASE can be configured as a
+	// hostname. Browser Origin values are scheme + host only.
+	if !strings.Contains(raw, "://") {
+		raw = "https://" + raw
+	}
+
+	u, err := url.Parse(raw)
+	if err == nil && u.Scheme != "" && u.Host != "" {
+		return u.Scheme + "://" + u.Host
+	}
+
+	return strings.TrimRight(raw, "/")
+}
+
+func addAllowedOrigin(raw string) {
+	origin := normalizeAllowedOrigin(raw)
+	if origin == "" {
+		return
+	}
+	if origin == "*" {
+		allowAllOrigins = true
+		return
+	}
+
+	for _, existing := range allowedOrigins {
+		if existing == origin {
+			return
+		}
+	}
+	allowedOrigins = append(allowedOrigins, origin)
+}
+
+func addContributorConsoleOrigins() {
+	addAllowedOrigin(os.Getenv("CLA_CONTRIBUTOR_BASE"))
+	addAllowedOrigin(os.Getenv("CLA_CONTRIBUTOR_V2_BASE"))
+}
+
 func loadAllowedOriginsFromEnv() {
 	raw := strings.TrimSpace(os.Getenv("ALLOWED_ORIGINS"))
 	if raw == "" {
 		// Backwards compatible default: allow all.
 		allowAllOrigins = true
+		addContributorConsoleOrigins()
 		return
 	}
+
 	// Supported formats:
-	//  - JSON array: ["https://a", "https://b"]
-	//  - CSV: https://a,https://b
-	//  - Space/newline separated
+	// - JSON array: ["https://a", "https://b"]
+	// - CSV: https://a,https://b
+	// - Space/newline separated
 	if strings.HasPrefix(raw, "[") {
 		var arr []string
 		if err := json.Unmarshal([]byte(raw), &arr); err == nil {
 			for _, v := range arr {
-				v = strings.TrimSpace(strings.Trim(v, "\"'"))
-				if v == "" {
-					continue
-				}
-				allowedOrigins = append(allowedOrigins, v)
-				if v == "*" {
-					allowAllOrigins = true
-				}
+				addAllowedOrigin(v)
+			}
+			addContributorConsoleOrigins()
+			if len(allowedOrigins) == 0 && !allowAllOrigins {
+				allowAllOrigins = true
 			}
 			return
 		}
 	}
+
 	parts := strings.FieldsFunc(raw, func(r rune) bool {
 		switch r {
 		case ',', ';', ' ', '\n', '\t', '\r':
@@ -56,16 +99,15 @@ func loadAllowedOriginsFromEnv() {
 		}
 	})
 	for _, p := range parts {
-		p = strings.TrimSpace(strings.Trim(p, "\"'"))
-		if p == "" {
-			continue
-		}
-		allowedOrigins = append(allowedOrigins, p)
-		if p == "*" {
-			allowAllOrigins = true
-		}
+		addAllowedOrigin(p)
 	}
-	if len(allowedOrigins) == 0 {
+
+	// The legacy GitHub signing flow redirects contributors to these consoles.
+	// Therefore these origins must be allowed to call the v1/v2 APIs after
+	// GitHub OAuth redirects back to EasyCLA.
+	addContributorConsoleOrigins()
+
+	if len(allowedOrigins) == 0 && !allowAllOrigins {
 		allowAllOrigins = true
 	}
 }
@@ -75,10 +117,12 @@ func isOriginAllowed(origin string) bool {
 	if allowAllOrigins {
 		return true
 	}
-	origin = strings.TrimSpace(origin)
+
+	origin = normalizeAllowedOrigin(origin)
 	if origin == "" {
 		return false
 	}
+
 	for _, o := range allowedOrigins {
 		if origin == o {
 			return true
@@ -89,22 +133,21 @@ func isOriginAllowed(origin string) bool {
 
 func CORS(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		origin := r.Header.Get("Origin")
+		allowedOriginsOnce.Do(loadAllowedOriginsFromEnv)
+
+		origin := normalizeAllowedOrigin(r.Header.Get("Origin"))
+
 		if origin != "" && isOriginAllowed(origin) {
-			// Echo the origin when allowlisting is enabled.
+			// Echo the origin. Browsers reject "*" when credentials/cookies are used.
 			w.Header().Set("Access-Control-Allow-Origin", origin)
 			w.Header().Add("Vary", "Origin")
 		} else if origin == "" && isOriginAllowed("*") {
 			// Non-browser clients.
 			w.Header().Set("Access-Control-Allow-Origin", "*")
-		} else if origin != "" && isOriginAllowed("*") {
-			// Backwards compatible default: allow all.
-			w.Header().Set("Access-Control-Allow-Origin", "*")
 		}
+
 		// Legacy Python sets the string literal "true".
 		w.Header().Set("Access-Control-Allow-Credentials", "true")
-		// Keep this list *exactly* aligned with the legacy Python middleware:
-		//   response.set_header("Access-Control-Allow-Headers", "Content-Type, Authorization")
 		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")