feat(api): add cors headers middleware (#2479)

api/libretime_api/settings/_internal.py

@@ -25,9 +25,11 @@ INSTALLED_APPS = [
     "rest_framework",
     "django_filters",
     "drf_spectacular",
+    "corsheaders",
 ]
 
 MIDDLEWARE = [
+    "corsheaders.middleware.CorsMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",

api/libretime_api/settings/prod.py

@@ -39,6 +39,18 @@ ALLOWED_HOSTS = ["*"]
 
 LOGGING = setup_logger(LIBRETIME_LOG_FILEPATH)
 
+# CORS
+# https://github.com/adamchainz/django-cors-headers
+
+# Create an 'origin' by removing the public_url path
+public_url_origin = (
+    CONFIG.general.public_url[: -len(CONFIG.general.public_url.path)]
+    if CONFIG.general.public_url.path
+    else CONFIG.general.public_url
+)
+
+CORS_ALLOWED_ORIGINS = [public_url_origin] + CONFIG.general.allowed_cors_origins
+
 # Database
 # https://docs.djangoproject.com/en/3.2/ref/settings/#databases
 

api/requirements.txt

@@ -1,5 +1,6 @@
 # Please do not edit this file, edit the setup.py file!
 # This file is auto-generated by tools/extract_requirements.py.
+django-cors-headers>=3.14.0,<3.15
 django-filter>=2.4.0,<22.2
 django>=4.1.4,<4.2
 djangorestframework>=3.12.1,<3.15

api/setup.py

@@ -24,6 +24,7 @@ setup(
         ]
     },
     install_requires=[
+        "django-cors-headers>=3.14.0,<3.15",
         "django-filter>=2.4.0,<22.2",
         "django>=4.1.4,<4.2",
         "djangorestframework>=3.12.1,<3.15",

shared/libretime_shared/config/_models.py

@@ -48,6 +48,8 @@ class GeneralConfig(BaseModel):
 
     timezone: str = "UTC"
 
+    allowed_cors_origins: List[AnyHttpUrl] = []
+
     # Validators
     _public_url_no_trailing_slash = no_trailing_slash_validator("public_url")