Skip to content

Commit 0c4e703

Browse files
committed
LCORE-405: do not allow credentials to be enabled for origin set to '*'
1 parent 62963c9 commit 0c4e703

2 files changed

Lines changed: 21 additions & 1 deletion

File tree

src/models/config.py

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,13 +30,21 @@ class CORSConfiguration(BaseModel):
3030
allow_origins: list[str] = [
3131
"*"
3232
] # not AnyHttpUrl: we need to support "*" that is not valid URL
33-
allow_credentials: bool = True
33+
allow_credentials: bool = False
3434
allow_methods: list[str] = ["*"]
3535
allow_headers: list[str] = ["*"]
3636

3737
@model_validator(mode="after")
3838
def check_cors_configuration(self) -> Self:
3939
"""Check CORS configuration."""
40+
# credentials are not allowed with wildcard origins per CORS/Fetch spec.
41+
# see https://fastapi.tiangolo.com/tutorial/cors/
42+
if self.allow_credentials and "*" in self.allow_origins:
43+
raise ValueError(
44+
"Invalid CORS configuration: allow_credentials can not be set to true when "
45+
"allow origins contains '*' wildcard."
46+
"Use explicit origins or disable credential."
47+
)
4048
return self
4149

4250

src/models/response_classes

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
class ProviderHealthStatus(BaseModel):
2+
class ReadinessResponse(BaseModel):
3+
class LivenessResponse(BaseModel):
4+
class NotAvailableResponse(BaseModel):
5+
class FeedbackResponse(BaseModel):
6+
class StatusResponse(BaseModel):
7+
class UnauthorizedResponse(BaseModel):
8+
class ForbiddenResponse(UnauthorizedResponse):
9+
class ConversationResponse(BaseModel):
10+
class ConversationDeleteResponse(BaseModel):
11+
class ConversationDetails(BaseModel):
12+
class ConversationsListResponse(BaseModel):

0 commit comments

Comments
 (0)