Manage CORS configuration via environment variables using django-cors-headers#1487
Manage CORS configuration via environment variables using django-cors-headers#1487t-book wants to merge 1 commit intoopengisch:masterfrom
Conversation
suricactus
left a comment
suricactus
left a comment
There was a problem hiding this comment.
Thanks for the contribution! Nicely documented and organized.
I added a few comments on the code that need adjustment if we merge this.
After internal testing of the change we will let you know if this can be merged in the next weeks.
| CORS_ALLOWED_ORIGINS = [ | ||
| origin.strip() | ||
| for origin in os.environ.get("CORS_ALLOWED_ORIGINS", "").split(",") | ||
| if origin.strip() | ||
| ] |
There was a problem hiding this comment.
| CORS_ALLOWED_ORIGINS = [ | |
| origin.strip() | |
| for origin in os.environ.get("CORS_ALLOWED_ORIGINS", "").split(",") | |
| if origin.strip() | |
| ] | |
| CORS_ALLOWED_ORIGINS = parse_string_to_list(os.environ.get("CORS_ALLOWED_ORIGINS", "")) |
Can you add a new helper function parse_string_to_list(input_str: str) -> list[str] to settings_utils instead of inlining the Python in this file?
There was a problem hiding this comment.
This file has way too many diff lines. Please minimize to the actual subset of changes that matters. Also it seems you ran the script with Python 3.11 somehow. Make sure you use the pip-compile that is part of the app container.
| # Comma-separated list of origins allowed to make cross-origin requests to the API. | ||
| # Do NOT include trailing slashes. Example: https://app.example.com,http://localhost:5173 | ||
| CORS_ALLOWED_ORIGINS=https://docs.qfield.org | ||
|
|
||
| # Allow credentials (cookies, authorization headers) in cross-origin requests. | ||
| # Set to 1 if your clients send authentication tokens or session cookies. | ||
| CORS_ALLOW_CREDENTIALS=1 |
There was a problem hiding this comment.
| # Comma-separated list of origins allowed to make cross-origin requests to the API. | |
| # Do NOT include trailing slashes. Example: https://app.example.com,http://localhost:5173 | |
| CORS_ALLOWED_ORIGINS=https://docs.qfield.org | |
| # Allow credentials (cookies, authorization headers) in cross-origin requests. | |
| # Set to 1 if your clients send authentication tokens or session cookies. | |
| CORS_ALLOW_CREDENTIALS=1 | |
| # Comma-separated list of origins allowed to make cross-origin requests to the API. | |
| # Example "https://app.example.com,http://localhost:5173" | |
| # NOTE: Do NOT include trailing slashes. | |
| # DEFAULT: "https://docs.qfield.org" | |
| CORS_ALLOWED_ORIGINS=https://docs.qfield.org | |
| # Allow credentials (cookies, authorization headers) in cross-origin requests. | |
| # VALUES: 0 - do not allow credentials; 1 - allow clients to send authentication tokens or session cookies. | |
| # DEFAULT: 1 | |
| CORS_ALLOW_CREDENTIALS=1 |
See the docs example here: https://github.com/csgis/QFieldCloud/blob/b1f73e9074a3dc55fc359d8e0fa8c8607d1cf256/.env.example#L6
|
Thanks a lot for your Feedback @suricactus I will update the PR accordingly! |
2 participants
Hi there!
Previously, allowing cross-origin access to the API required manually adding
add_headerdirectives in the nginx configuration. This made it cumbersome for developers building custom frontends or apps against the QFieldCloud API.This PR introduces django-cors-headers so that allowed origins can be managed entirely through environment variables:
Changes:
django-cors-headersas a dependencyAccess-Control-Allow-Originheader from nginx (/swagger.yaml). https://docs.qfield.org should go into .envCORS_ALLOWED_ORIGINSandCORS_ALLOW_CREDENTIALSthrough docker-compose.ymlThis allows developers to build their own frontends against the API by simply adding their origin to
CORS_ALLOWED_ORIGINS— no nginx changes or container rebuilds required.