Add CORS_origins key to configuration
This commit is contained in:
parent
112906458f
commit
b77a105778
@ -82,6 +82,7 @@
|
|||||||
"listen_port": 8080,
|
"listen_port": 8080,
|
||||||
"verbosity": "info",
|
"verbosity": "info",
|
||||||
"jwt_secret_key": "somethingrandom",
|
"jwt_secret_key": "somethingrandom",
|
||||||
|
"CORS_origins": [],
|
||||||
"username": "",
|
"username": "",
|
||||||
"password": ""
|
"password": ""
|
||||||
},
|
},
|
||||||
|
@ -87,6 +87,7 @@
|
|||||||
"listen_port": 8080,
|
"listen_port": 8080,
|
||||||
"verbosity": "info",
|
"verbosity": "info",
|
||||||
"jwt_secret_key": "somethingrandom",
|
"jwt_secret_key": "somethingrandom",
|
||||||
|
"CORS_origins": [],
|
||||||
"username": "",
|
"username": "",
|
||||||
"password": ""
|
"password": ""
|
||||||
},
|
},
|
||||||
|
@ -123,6 +123,7 @@
|
|||||||
"listen_port": 8080,
|
"listen_port": 8080,
|
||||||
"verbosity": "info",
|
"verbosity": "info",
|
||||||
"jwt_secret_key": "somethingrandom",
|
"jwt_secret_key": "somethingrandom",
|
||||||
|
"CORS_origins": [],
|
||||||
"username": "freqtrader",
|
"username": "freqtrader",
|
||||||
"password": "SuperSecurePassword"
|
"password": "SuperSecurePassword"
|
||||||
},
|
},
|
||||||
|
@ -93,6 +93,7 @@
|
|||||||
"listen_port": 8080,
|
"listen_port": 8080,
|
||||||
"verbosity": "info",
|
"verbosity": "info",
|
||||||
"jwt_secret_key": "somethingrandom",
|
"jwt_secret_key": "somethingrandom",
|
||||||
|
"CORS_origins": [],
|
||||||
"username": "",
|
"username": "",
|
||||||
"password": ""
|
"password": ""
|
||||||
},
|
},
|
||||||
|
@ -13,6 +13,7 @@ Sample configuration:
|
|||||||
"listen_port": 8080,
|
"listen_port": 8080,
|
||||||
"verbosity": "info",
|
"verbosity": "info",
|
||||||
"jwt_secret_key": "somethingrandom",
|
"jwt_secret_key": "somethingrandom",
|
||||||
|
"CORS_origins": [],
|
||||||
"username": "Freqtrader",
|
"username": "Freqtrader",
|
||||||
"password": "SuperSecret1!"
|
"password": "SuperSecret1!"
|
||||||
},
|
},
|
||||||
@ -232,3 +233,26 @@ Since the access token has a short timeout (15 min) - the `token/refresh` reques
|
|||||||
> curl -X POST --header "Authorization: Bearer ${refresh_token}"http://localhost:8080/api/v1/token/refresh
|
> curl -X POST --header "Authorization: Bearer ${refresh_token}"http://localhost:8080/api/v1/token/refresh
|
||||||
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODkxMTk5NzQsIm5iZiI6MTU4OTExOTk3NCwianRpIjoiMDBjNTlhMWUtMjBmYS00ZTk0LTliZjAtNWQwNTg2MTdiZDIyIiwiZXhwIjoxNTg5MTIwODc0LCJpZGVudGl0eSI6eyJ1IjoiRnJlcXRyYWRlciJ9LCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.1seHlII3WprjjclY6DpRhen0rqdF4j6jbvxIhUFaSbs"}
|
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODkxMTk5NzQsIm5iZiI6MTU4OTExOTk3NCwianRpIjoiMDBjNTlhMWUtMjBmYS00ZTk0LTliZjAtNWQwNTg2MTdiZDIyIiwiZXhwIjoxNTg5MTIwODc0LCJpZGVudGl0eSI6eyJ1IjoiRnJlcXRyYWRlciJ9LCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.1seHlII3WprjjclY6DpRhen0rqdF4j6jbvxIhUFaSbs"}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## CORS
|
||||||
|
|
||||||
|
All web-based frontends are subject to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) - Cross-Origin Resource Sharing.
|
||||||
|
Since most request to the Freqtrade API must be authenticated, a proper CORS policy is key to avoid security problems.
|
||||||
|
Also, the Standard disallows `*` CORS policies for requests with credentials, so this setting must be done appropriately.
|
||||||
|
|
||||||
|
Users can configure this themselfs via the `CORS_origins` configuration setting.
|
||||||
|
It consists of a list of allowed sites that are allowed to consume resources from the bot's API.
|
||||||
|
|
||||||
|
Assuming your Application would be deployed as `https://frequi.freqtrade.io/home/` - this would mean that the following configuration becomes necessary:
|
||||||
|
|
||||||
|
```jsonc
|
||||||
|
{
|
||||||
|
//...
|
||||||
|
"jwt_secret_key": "somethingrandom",
|
||||||
|
"CORS_origins": ["https://frequi.freqtrade.io"],
|
||||||
|
//...
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
We strongly recommend to also set `jwt_secret_key` to something random and known only to yourself to avoid unauthorized access to your bot.
|
||||||
|
@ -221,6 +221,8 @@ CONF_SCHEMA = {
|
|||||||
},
|
},
|
||||||
'username': {'type': 'string'},
|
'username': {'type': 'string'},
|
||||||
'password': {'type': 'string'},
|
'password': {'type': 'string'},
|
||||||
|
'jwt_secret_key': {'type': 'string'},
|
||||||
|
'CORS_origins': {'type': 'array', 'items': {'type': 'string'}},
|
||||||
'verbosity': {'type': 'string', 'enum': ['error', 'info']},
|
'verbosity': {'type': 'string', 'enum': ['error', 'info']},
|
||||||
},
|
},
|
||||||
'required': ['enabled', 'listen_ip_address', 'listen_port', 'username', 'password']
|
'required': ['enabled', 'listen_ip_address', 'listen_port', 'username', 'password']
|
||||||
|
@ -90,7 +90,9 @@ class ApiServer(RPC):
|
|||||||
self._config = freqtrade.config
|
self._config = freqtrade.config
|
||||||
self.app = Flask(__name__)
|
self.app = Flask(__name__)
|
||||||
self._cors = CORS(self.app,
|
self._cors = CORS(self.app,
|
||||||
resources={r"/api/*": {"supports_credentials": True, }}
|
resources={r"/api/*": {
|
||||||
|
"supports_credentials": True,
|
||||||
|
"origins": self._config['api_server'].get('CORS_origins', [])}}
|
||||||
)
|
)
|
||||||
|
|
||||||
# Setup the Flask-JWT-Extended extension
|
# Setup the Flask-JWT-Extended extension
|
||||||
|
@ -59,6 +59,7 @@
|
|||||||
"listen_port": 8080,
|
"listen_port": 8080,
|
||||||
"verbosity": "info",
|
"verbosity": "info",
|
||||||
"jwt_secret_key": "somethingrandom",
|
"jwt_secret_key": "somethingrandom",
|
||||||
|
"CORS_origins": [],
|
||||||
"username": "",
|
"username": "",
|
||||||
"password": ""
|
"password": ""
|
||||||
},
|
},
|
||||||
|
Loading…
Reference in New Issue
Block a user