From 84abdba07616ffabb2afb42673ec0bf2cf5badd0 Mon Sep 17 00:00:00 2001
From: Syed Ahmed <syed@apache.org>
Date: Wed, 22 Mar 2023 11:15:59 -0400
Subject: [PATCH] api: Allow setting multiple CORS_ORIGIN (PROJQUAY-5213)
 (#1791)

api: Allow setting multiple CORS_ORIGIN (PROJQUAY-5213)

multiple CORS Origin are required for integration with console.redhat
---
 util/config/schema.py |  4 ++--
 util/request.py       | 21 +++++++++++++++++----
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/util/config/schema.py b/util/config/schema.py
index fd9d6494e..5d2ac7e6d 100644
--- a/util/config/schema.py
+++ b/util/config/schema.py
@@ -1223,9 +1223,9 @@ CONFIG_SCHEMA = {
             "x-example": "export-compliance.com",
         },
         "CORS_ORIGIN": {
-            "type": "string",
+            "type": "array",
             "description": "Cross-Origin domain to allow requests from",
-            "x-example": "localhost:9000",
+            "x-example": ["localhost:9000", "localhost:8080"],
         },
         "FEATURE_LISTEN_IP_VERSION": {
             "type": "string",
diff --git a/util/request.py b/util/request.py
index c66e4affe..ed6ba42cd 100644
--- a/util/request.py
+++ b/util/request.py
@@ -29,16 +29,29 @@ def crossorigin(anonymous=True):
     def decorate(func):
         @wraps(func)
         def wrapper(*args, **kwargs):
-            cors_origin = app.config.get("CORS_ORIGIN", "*")
+            cors_origin_list = app.config.get("CORS_ORIGIN", [])
+            cors_origin = "*"
+
+            if len(cors_origin_list) == 1:
+                cors_origin = cors_origin_list[0]
+            elif len(cors_origin_list) > 1:
+                # if there are multiple CORS_ORIGIN set, then use
+                # the Origin header from the request to set the
+                # correct Allow-Origin
+                request_origin = request.headers.get("Origin")
+                if request_origin in cors_origin_list:
+                    cors_origin = request_origin
+
             headers = BASE_CROSS_DOMAIN_HEADERS
 
-            # For calls that can only be called from
-            # a known cross-origin domain like CSRF token
-            # request
+            # For calls that are not anonymous eg: CSRF token request
+            # respond with no CORS headers if CORS_ORIGIN is not set
             if not anonymous and cors_origin == "*":
                 return func(*args, **kwargs)
 
             credentials = False
+            # if we have CORS_ORIGIN set to a domain, then add the corresponding
+            # CORS headers as allowed headers
             if cors_origin != "*":
                 headers = BASE_CROSS_DOMAIN_HEADERS + SINGLE_ORIGIN_CROSS_DOMAIN_HEADERS
                 # for single origin requests, allow cookies