Fix CORS middleware hot-swapping #4570
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Passing run #6078 ↗︎
Details:
Review all test suite changes for PR #4570 ↗︎ |
||||||||||||||||||||
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4570 +/- ##
==========================================
+ Coverage 86.79% 86.81% +0.02%
==========================================
Files 329 330 +1
Lines 19816 19839 +23
Branches 2546 2545 -1
==========================================
+ Hits 17199 17223 +24
Misses 2150 2150
+ Partials 467 466 -1 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Quick turnaround here! I only have one nit and one usability concern with the slash on the cors_origin values. According to this, the Origin values won't contain the slash (path) so we should make sure to strip the slashes or raise a validation error to prevent these "incorrect" values from being stored. And by incorrect I mean that our CORSMiddleware will try to match the Origin value as-is without trying to trim the slashes.
| allow_methods=["*"], | ||
| allow_headers=["*"], | ||
| ) | ||
| return existing_middleware |
There was a problem hiding this comment.
What's the reason for returning the old CORSMiddleware?
There was a problem hiding this comment.
good catch! i think this is just a vestige from a previous iteration/refactor, i think i can remove as it's a potential cause for confusion 👍
Thanks for highlighting/pushing on this @galvana! i happened to chat a bit about it with @NevilleS too, who mentioned that misconfiguring CORS origin settings with values that have trailing slashes and paths is actually a common hiccup/pain point, so your intuition to provide some more guard rails here seems spot on. i've gone a step further than the trailing slash and i have a validator now that rejects any URL with any type of path. reading the MDN spec on origin headers, this is consistent -- origin URLs can only have a scheme, a hostname, and a port See loom below for the integrated UX with the validation now. we could still probably use a bit of polish on the error message, but I think it's clear enough for this iteration 👍 |
Closes PROD-1419
https://www.loom.com/share/c38df34b38194d76aa9b91ae9c32ba33
Description Of Changes
Fixes the broken CORS
allow_originsupdate functionality. Basically, before we were trying to mutate theallow_originsattribute on the existingCORSMiddlewareinstance "in-place", which wasn't effective in actually updating middleware's functionality, as it requires some reinitialization.To fix this, we can instead remove the existing
CORSMiddlewareinstance and add a newCORSMiddlewareinstance (with the updatedallows_originsvalues) using the proper fastAPI app method.Some additional notes:
cors_originsspecified via API (i.e. via admin UI) will be the complete set ofallow_originsin the server's CORS middleware. So anycors_originsset via "traditional" config mechanisms (i.e. fides.toml or env var) will be ignored. that being said, thecors_origin_regex(a different property) can only be set via "traditional" config mechanisms, and is not settable via API - as a security best practice. thecors_origin_regexset via traditional config mechanisms is still used/respected with this change, as it has always been.Code Changes
allow_originsvalues determined by config proxy, i.e. it prefers any API-set values and falls back to "traditional" config set valuesrun_database_startupstartup hook, which comes a bit later in the startup sequence, once we've got a db session to work with (which the config proxy needs)Steps to Confirm
Pre-Merge Checklist
CHANGELOG.md