Merge pull request #3344 from freqtrade/fix_cors_policy

CORS - allow authenticated responses
2020-05-20 21:44:30 +03:00 · 2020-05-20 21:44:30 +03:00 · ff7bcb5aae
commit ff7bcb5aae
parent cd3900549c a11651ae67
2 changed files with 17 additions and 9 deletions
--- a/freqtrade/rpc/api_server.py
+++ b/freqtrade/rpc/api_server.py
@ -89,7 +89,9 @@ class ApiServer(RPC):

        self._config = freqtrade.config
        self.app = Flask(__name__)
-        self._cors = CORS(self.app, resources={r"/api/*": {"origins": "*"}})
+        self._cors = CORS(self.app,
+                          resources={r"/api/*": {"supports_credentials": True, }}
+                          )

        # Setup the Flask-JWT-Extended extension
        self.app.config['JWT_SECRET_KEY'] = self._config['api_server'].get(
--- a/tests/rpc/test_rpc_apiserver.py
+++ b/tests/rpc/test_rpc_apiserver.py
@ -39,17 +39,21 @@ def client_post(client, url, data={}):
    return client.post(url,
                       content_type="application/json",
                       data=data,
-                       headers={'Authorization': _basic_auth_str(_TEST_USER, _TEST_PASS)})
+                       headers={'Authorization': _basic_auth_str(_TEST_USER, _TEST_PASS),
+                                'Origin': 'example.com'})


 def client_get(client, url):
-    return client.get(url, headers={'Authorization': _basic_auth_str(_TEST_USER, _TEST_PASS)})
+    # Add fake Origin to ensure CORS kicks in
+    return client.get(url, headers={'Authorization': _basic_auth_str(_TEST_USER, _TEST_PASS),
+                                    'Origin': 'example.com'})


-def assert_response(response, expected_code=200):
+def assert_response(response, expected_code=200, needs_cors=True):
    assert response.status_code == expected_code
    assert response.content_type == "application/json"
-    assert ('Access-Control-Allow-Origin', '*') in response.headers._list
+    if needs_cors:
+        assert ('Access-Control-Allow-Credentials', 'true') in response.headers._list


 def test_api_not_found(botclient):
@ -66,12 +70,12 @@ def test_api_not_found(botclient):
 def test_api_unauthorized(botclient):
    ftbot, client = botclient
    rc = client.get(f"{BASE_URI}/ping")
-    assert_response(rc)
+    assert_response(rc, needs_cors=False)
    assert rc.json == {'status': 'pong'}

    # Don't send user/pass information
    rc = client.get(f"{BASE_URI}/version")
-    assert_response(rc, 401)
+    assert_response(rc, 401, needs_cors=False)
    assert rc.json == {'error': 'Unauthorized'}

    # Change only username
@ -105,7 +109,8 @@ def test_api_token_login(botclient):
    # test Authentication is working with JWT tokens too
    rc = client.get(f"{BASE_URI}/count",
                    content_type="application/json",
-                    headers={'Authorization': f'Bearer {rc.json["access_token"]}'})
+                    headers={'Authorization': f'Bearer {rc.json["access_token"]}',
+                             'Origin': 'example.com'})
    assert_response(rc)


@ -116,7 +121,8 @@ def test_api_token_refresh(botclient):
    rc = client.post(f"{BASE_URI}/token/refresh",
                     content_type="application/json",
                     data=None,
-                     headers={'Authorization': f'Bearer {rc.json["refresh_token"]}'})
+                     headers={'Authorization': f'Bearer {rc.json["refresh_token"]}',
+                              'Origin': 'example.com'})
    assert_response(rc)
    assert 'access_token' in rc.json
    assert 'refresh_token' not in rc.json