Skip to content

Commit b95da9e

Browse files
authored
Merge pull request lightspeed-core#408 from tisnik/lcore-405-do-not-allow-crendentials-to-be-enabled-for-star-origins
LCORE-405: do not allow crendentials to be enabled for `*` origins
2 parents 62963c9 + b9ca231 commit b95da9e

2 files changed

Lines changed: 59 additions & 3 deletions

File tree

src/models/config.py

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,13 +30,21 @@ class CORSConfiguration(BaseModel):
3030
allow_origins: list[str] = [
3131
"*"
3232
] # not AnyHttpUrl: we need to support "*" that is not valid URL
33-
allow_credentials: bool = True
33+
allow_credentials: bool = False
3434
allow_methods: list[str] = ["*"]
3535
allow_headers: list[str] = ["*"]
3636

3737
@model_validator(mode="after")
3838
def check_cors_configuration(self) -> Self:
3939
"""Check CORS configuration."""
40+
# credentials are not allowed with wildcard origins per CORS/Fetch spec.
41+
# see https://fastapi.tiangolo.com/tutorial/cors/
42+
if self.allow_credentials and "*" in self.allow_origins:
43+
raise ValueError(
44+
"Invalid CORS configuration: allow_credentials can not be set to true when "
45+
"allow origins contains '*' wildcard."
46+
"Use explicit origins or disable credential."
47+
)
4048
return self
4149

4250

tests/unit/models/test_config.py

Lines changed: 50 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -220,12 +220,12 @@ def test_cors_default_configuration() -> None:
220220
cfg = CORSConfiguration()
221221
assert cfg is not None
222222
assert cfg.allow_origins == ["*"]
223-
assert cfg.allow_credentials is True
223+
assert cfg.allow_credentials is False
224224
assert cfg.allow_methods == ["*"]
225225
assert cfg.allow_headers == ["*"]
226226

227227

228-
def test_cors_custom_configuration() -> None:
228+
def test_cors_custom_configuration_v1() -> None:
229229
"""Test the CORS configuration."""
230230
cfg = CORSConfiguration(
231231
allow_origins=["foo_origin", "bar_origin", "baz_origin"],
@@ -240,6 +240,54 @@ def test_cors_custom_configuration() -> None:
240240
assert cfg.allow_headers == ["foo_header", "bar_header", "baz_header"]
241241

242242

243+
def test_cors_custom_configuration_v2() -> None:
244+
"""Test the CORS configuration."""
245+
cfg = CORSConfiguration(
246+
allow_origins=["foo_origin", "bar_origin", "baz_origin"],
247+
allow_credentials=True,
248+
allow_methods=["foo_method", "bar_method", "baz_method"],
249+
allow_headers=["foo_header", "bar_header", "baz_header"],
250+
)
251+
assert cfg is not None
252+
assert cfg.allow_origins == ["foo_origin", "bar_origin", "baz_origin"]
253+
assert cfg.allow_credentials is True
254+
assert cfg.allow_methods == ["foo_method", "bar_method", "baz_method"]
255+
assert cfg.allow_headers == ["foo_header", "bar_header", "baz_header"]
256+
257+
258+
def test_cors_custom_configuration_v3() -> None:
259+
"""Test the CORS configuration."""
260+
cfg = CORSConfiguration(
261+
allow_origins=["*"],
262+
allow_credentials=False,
263+
allow_methods=["foo_method", "bar_method", "baz_method"],
264+
allow_headers=["foo_header", "bar_header", "baz_header"],
265+
)
266+
assert cfg is not None
267+
assert cfg.allow_origins == ["*"]
268+
assert cfg.allow_credentials is False
269+
assert cfg.allow_methods == ["foo_method", "bar_method", "baz_method"]
270+
assert cfg.allow_headers == ["foo_header", "bar_header", "baz_header"]
271+
272+
273+
def test_cors_improper_configuration() -> None:
274+
"""Test the CORS configuration."""
275+
expected = (
276+
"Value error, Invalid CORS configuration: "
277+
+ "allow_credentials can not be set to true when allow origins contains '\\*' wildcard."
278+
+ "Use explicit origins or disable credential."
279+
)
280+
281+
with pytest.raises(ValueError, match=expected):
282+
# allow_credentials can not be true when allow_origins contains '*'
283+
CORSConfiguration(
284+
allow_origins=["*"],
285+
allow_credentials=True,
286+
allow_methods=["foo_method", "bar_method", "baz_method"],
287+
allow_headers=["foo_header", "bar_header", "baz_header"],
288+
)
289+
290+
243291
def test_tls_configuration() -> None:
244292
"""Test the TLS configuration."""
245293
cfg = TLSConfiguration(

0 commit comments

Comments
 (0)