Fix CSRF & CORS problems (#1477)

* Fix CSRF problem * Improved configuration * Update csrf config * Comment CSRF configuration * Include CORS configuration * Fix settings configuration
Qiskit · Sep 3, 2024 · 731d429 · 731d429
1 parent 24b36c0
commit 731d429
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 0 deletions.
diff --git a/charts/qiskit-serverless/charts/gateway/templates/deployment.yaml b/charts/qiskit-serverless/charts/gateway/templates/deployment.yaml
@@ -185,6 +185,12 @@ spec:
                   key: {{ .Values.secrets.servicePsql.key.databasePassword }}
             - name: PUBLIC_GROUP_NAME
               value: {{ .Values.application.publicGroupName }}
+            - name: ALLOWED_HOSTS
+              value: {{ .Values.application.allowedHosts | quote }}
+            - name: CSRF_TRUSTED_ORIGINS
+              value: {{ .Values.application.trustedOrigins | quote }}
+            - name: CORS_ALLOWED_ORIGIN_REGEXES
+              value: {{ .Values.application.corsOrigins | quote }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/qiskit-serverless/charts/gateway/values.yaml b/charts/qiskit-serverless/charts/gateway/values.yaml
@@ -52,6 +52,9 @@ application:
   iqpQcon:
     url: "https://api-qcon.quantum.ibm.com/api"
   publicGroupName: "ibm-q/open/main"
+  allowedHosts: "*"
+  trustedOrigins: "http://localhost"
+  corsOrigins: "http://localhost"
 
 cos:
   claimName: gateway-claim

diff --git a/gateway/main/settings.py b/gateway/main/settings.py
@@ -38,8 +38,20 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 LOG_LEVEL = "DEBUG" if int(os.environ.get("DEBUG", 1)) else "INFO"
 
+# It must be a full url without protocol: mydomain.com
 ALLOWED_HOSTS = os.environ.get("ALLOWED_HOSTS", "*").split(",")
 
+# It must be a full url: https://mydomain.com
+CSRF_TRUSTED_ORIGINS = os.environ.get("CSRF_TRUSTED_ORIGINS", "http://localhost").split(
+    ","
+)
+
+# It must be a regex compatible: ^https://\w+\.example\.com$
+CORS_ALLOWED_ORIGIN_REGEXES = os.environ.get(
+    "CORS_ALLOWED_ORIGIN_REGEXES", "http://localhost"
+).split(",")
+CORS_ALLOWED_ORIGIN_REGEXES = [rf"{pattern}" for pattern in CORS_ALLOWED_ORIGIN_REGEXES]
+
 # allow connections from any kubernetes pod within the cluster
 # k8s pods are given an IP on the private 10. network, and 10.0.0.0/8
 # includes all 10. IPs.
@@ -64,9 +76,11 @@
     "api",
     "psycopg2",
     "drf_yasg",
+    "corsheaders",
 ]
 
 MIDDLEWARE = [
+    "corsheaders.middleware.CorsMiddleware",
     "csp.middleware.CSPMiddleware",
     "allow_cidr.middleware.AllowCIDRMiddleware",
     "django_prometheus.middleware.PrometheusBeforeMiddleware",

diff --git a/gateway/requirements.txt b/gateway/requirements.txt
@@ -20,3 +20,4 @@ drf-yasg>=1.21.7, <2
 sqlparse>=0.5.0, <1
 qiskit-ibm-runtime>=0.27.0
 tzdata>=2024.1
+django-cors-headers>=4.4.0, <5