api: Allow setting multiple CORS_ORIGIN (PROJQUAY-5213) (#1791)

api: Allow setting multiple CORS_ORIGIN (PROJQUAY-5213) multiple CORS Origin are required for integration with console.redhat
2026-01-26 06:21:37 +03:00 · 2023-03-22 11:15:59 -04:00
parent a8bf1c98cf
commit 84abdba076
2 changed files with 19 additions and 6 deletions
--- a/util/config/schema.py
+++ b/util/config/schema.py
@@ -1223,9 +1223,9 @@ CONFIG_SCHEMA = {
            "x-example": "export-compliance.com",
        },
        "CORS_ORIGIN": {
-            "type": "string",
+            "type": "array",
            "description": "Cross-Origin domain to allow requests from",
-            "x-example": "localhost:9000",
+            "x-example": ["localhost:9000", "localhost:8080"],
        },
        "FEATURE_LISTEN_IP_VERSION": {
            "type": "string",
--- a/util/request.py
+++ b/util/request.py
@@ -29,16 +29,29 @@ def crossorigin(anonymous=True):
    def decorate(func):
        @wraps(func)
        def wrapper(*args, **kwargs):
-            cors_origin = app.config.get("CORS_ORIGIN", "*")
+            cors_origin_list = app.config.get("CORS_ORIGIN", [])
+            cors_origin = "*"
+
+            if len(cors_origin_list) == 1:
+                cors_origin = cors_origin_list[0]
+            elif len(cors_origin_list) > 1:
+                # if there are multiple CORS_ORIGIN set, then use
+                # the Origin header from the request to set the
+                # correct Allow-Origin
+                request_origin = request.headers.get("Origin")
+                if request_origin in cors_origin_list:
+                    cors_origin = request_origin
+
            headers = BASE_CROSS_DOMAIN_HEADERS

-            # For calls that can only be called from
-            # a known cross-origin domain like CSRF token
-            # request
+            # For calls that are not anonymous eg: CSRF token request
+            # respond with no CORS headers if CORS_ORIGIN is not set
            if not anonymous and cors_origin == "*":
                return func(*args, **kwargs)

            credentials = False
+            # if we have CORS_ORIGIN set to a domain, then add the corresponding
+            # CORS headers as allowed headers
            if cors_origin != "*":
                headers = BASE_CROSS_DOMAIN_HEADERS + SINGLE_ORIGIN_CROSS_DOMAIN_HEADERS
                # for single origin requests, allow cookies