Skip to content

refactor: Centralize CORS business logic into Tangle middleware #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
morgan-wowk wants to merge 1 commit into
base: master
Choose a base branch
from
+363 −0
Open

refactor: Centralize CORS business logic into Tangle middleware #65

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,22 @@ This backend consists of the API Server and the Orchestrator.
The API Server receives API requests and accesses the database to fulfill them.
The API documentation can be accessed at [http://localhost:8000/docs](http://localhost:8000/docs).

## CORS Middleware

### Purpose

The CORS (Cross-Origin Resource Sharing) middleware allows web browsers to make requests to the Tangle API from different origins (domains). This is essential for:
- Local development (frontend on `localhost:3000`, backend on `localhost:8000`)
- Production deployments where the frontend and backend are on different domains
- Multi-tenant deployments with multiple frontend URLs

### How It Works

1. **Environment Variable Configuration**: Origins are specified in the `TANGLE_CORS_ALLOWED_ORIGINS` environment variable as a comma-separated list
2. **Request Validation**: For each incoming request, the middleware checks the `Origin` header from the browser
3. **Dynamic Response**: If the origin is in the allowed list, the server responds with `Access-Control-Allow-Origin` set to that specific origin
4. **Security**: Only pre-approved origins receive CORS headers, preventing unauthorized cross-origin access

### Orchestrator

The Orchestrator works independently from the API Server.
Expand Down
4 changes: 4 additions & 0 deletions cloud_pipelines_backend/api_router.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
from . import component_library_api_server as components_api
from . import database_ops
from . import errors
from . import middleware

if typing.TYPE_CHECKING:
from .launchers import interfaces as launcher_interfaces
Expand All @@ -39,6 +40,9 @@ def setup_routes(
container_launcher_for_log_streaming: "launcher_interfaces.ContainerTaskLauncher[launcher_interfaces.LaunchedContainer] | None" = None,
default_component_library_owner_username: str = "admin",
):
# Setup global middleware (CORS, etc.) - must be called before routes are added
middleware.setup_cors_middleware(app)

def get_session():
with orm.Session(autocommit=False, autoflush=False, bind=db_engine) as session:
yield session
Expand Down
97 changes: 97 additions & 0 deletions cloud_pipelines_backend/middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
"""
Global middleware configuration for Tangle API servers.

This module provides reusable middleware setup functions that should be used
by all entry points to ensure consistent behavior across deployments.
"""

import logging
import os
from urllib.parse import urlparse

import fastapi
from fastapi.middleware.cors import CORSMiddleware


logger = logging.getLogger(__name__)


def _is_valid_origin(origin: str) -> bool:
"""
Validate that an origin string is a valid URL format.

Args:
origin: The origin URL to validate

Returns:
True if valid, False otherwise
"""
try:
parsed = urlparse(origin)
# Must have a scheme (http/https) and a netloc (domain/host)
if not parsed.scheme or not parsed.netloc:
return False
# Scheme must be http or https
if parsed.scheme not in ("http", "https"):
return False
# Should not have a path beyond '/'
if parsed.path and parsed.path != "/":
return False
return True
except Exception:
return False


def setup_cors_middleware(app: fastapi.FastAPI) -> None:
"""
Configure CORS middleware for the FastAPI application.

Environment Variables:
TANGLE_CORS_ALLOWED_ORIGINS: Comma-separated list of allowed origins.
Default: "http://localhost:3000,http://127.0.0.1:3000" if not set.
"""
cors_origins_str = os.environ.get("TANGLE_CORS_ALLOWED_ORIGINS", "http://localhost:3000,http://127.0.0.1:3000")

# Parse the comma-separated list and strip whitespace from each origin
raw_origins = [
origin.strip()
for origin in cors_origins_str.split(",")
Copy link
Collaborator

@maxy-shpfy maxy-shpfy Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to add more sanity-checks (aka valid URLs) since it is a user-input?

Copy link
Author

@morgan-wowk morgan-wowk Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great idea. I am sure this will help some people.

I have added some validation and useful messages when invalid formats are detected.

if origin.strip()
]

# Validate each origin
allowed_origins = []
invalid_origins = []

for origin in raw_origins:
if _is_valid_origin(origin):
allowed_origins.append(origin)
else:
invalid_origins.append(origin)

# Log warnings for invalid origins
if invalid_origins:
logger.warning(
f"Invalid CORS origins found and ignored: {', '.join(invalid_origins)}. "
f"Origins must be valid URLs with http:// or https:// scheme."
)

if not allowed_origins:
logger.warning(
"No valid CORS origins found. CORS middleware not configured."
)
return

app.add_middleware(
CORSMiddleware,
allow_origins=allowed_origins,
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)

logger.info(
f"CORS middleware configured for {len(allowed_origins)} origin(s): "
f"{', '.join(allowed_origins)}"
)

246 changes: 246 additions & 0 deletions tests/test_middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,246 @@
"""Tests for the middleware module, including CORS configuration."""

import os
import pytest
from fastapi import FastAPI
from fastapi.testclient import TestClient

from cloud_pipelines_backend import middleware


@pytest.fixture
def app():
"""Create a minimal FastAPI app for testing."""
app = FastAPI()

@app.get("/test")
def test_endpoint():
return {"message": "success"}

return app


@pytest.fixture
def clean_env(monkeypatch):
"""Ensure clean environment for each test."""
monkeypatch.delenv("TANGLE_CORS_ALLOWED_ORIGINS", raising=False)


def test_cors_middleware_with_default_origins(app, clean_env, monkeypatch):
"""Test that CORS middleware uses default origins when env var is not set."""
# Don't set TANGLE_CORS_ALLOWED_ORIGINS - should use defaults
middleware.setup_cors_middleware(app)
client = TestClient(app)

# Test request from default origin (localhost:3000)
response = client.get("/test", headers={"Origin": "http://localhost:3000"})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") == "http://localhost:3000"

# Test request from default origin (127.0.0.1:3000)
response = client.get("/test", headers={"Origin": "http://127.0.0.1:3000"})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") == "http://127.0.0.1:3000"


def test_cors_middleware_with_custom_single_origin(app, clean_env, monkeypatch):
"""Test CORS middleware with a single custom origin."""
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", "https://app.example.com")
middleware.setup_cors_middleware(app)
client = TestClient(app)

# Test request from allowed origin
response = client.get("/test", headers={"Origin": "https://app.example.com"})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") == "https://app.example.com"

# Test request from disallowed origin
response = client.get("/test", headers={"Origin": "http://localhost:3000"})
assert response.status_code == 200
# Should not match the disallowed origin
assert response.headers.get("access-control-allow-origin") != "http://localhost:3000"


def test_cors_middleware_with_multiple_origins(app, clean_env, monkeypatch):
"""Test CORS middleware with multiple comma-separated origins."""
origins = "http://localhost:3000,https://staging.example.com,https://app.example.com"
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", origins)
middleware.setup_cors_middleware(app)
client = TestClient(app)

# Test each allowed origin
for origin in ["http://localhost:3000", "https://staging.example.com", "https://app.example.com"]:
response = client.get("/test", headers={"Origin": origin})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") == origin

# Test disallowed origin
response = client.get("/test", headers={"Origin": "http://evil.com"})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") != "http://evil.com"


def test_cors_middleware_with_whitespace_in_origins(app, clean_env, monkeypatch):
"""Test that whitespace around origins is properly handled."""
origins = " http://localhost:3000 , https://app.example.com , http://127.0.0.1:3000 "
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", origins)
middleware.setup_cors_middleware(app)
client = TestClient(app)

# Test that whitespace is properly stripped
response = client.get("/test", headers={"Origin": "http://localhost:3000"})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") == "http://localhost:3000"


def test_cors_middleware_without_origin_header(app, clean_env, monkeypatch):
"""Test that requests without Origin header work normally."""
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", "http://localhost:3000")
middleware.setup_cors_middleware(app)
client = TestClient(app)

# Request without Origin header should still work
response = client.get("/test")
assert response.status_code == 200
assert response.json() == {"message": "success"}


def test_cors_middleware_rejects_invalid_url_formats(app, clean_env, monkeypatch, caplog):
"""Test that invalid URL formats are rejected and logged."""
# Mix of valid and invalid origins
origins = "http://localhost:3000,invalid-url,ftp://wrong-scheme.com,http://example.com/path"
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", origins)

middleware.setup_cors_middleware(app)
client = TestClient(app)

# Valid origin should work
response = client.get("/test", headers={"Origin": "http://localhost:3000"})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") == "http://localhost:3000"

# Check that invalid origins were logged
assert "Invalid CORS origins found and ignored" in caplog.text
assert "invalid-url" in caplog.text


def test_cors_middleware_validates_scheme_http_https_only(app, clean_env, monkeypatch):
"""Test that only http and https schemes are accepted."""
origins = "http://localhost:3000,ftp://example.com,ws://example.com"
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", origins)
middleware.setup_cors_middleware(app)
client = TestClient(app)

# http should work
response = client.get("/test", headers={"Origin": "http://localhost:3000"})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") == "http://localhost:3000"

# ftp and ws should not be in allowed origins
response = client.get("/test", headers={"Origin": "ftp://example.com"})
assert response.headers.get("access-control-allow-origin") != "ftp://example.com"


def test_cors_middleware_rejects_origins_with_paths(app, clean_env, monkeypatch):
"""Test that origins with paths are rejected."""
origins = "http://localhost:3000,http://example.com/api,http://example.com/path/to/resource"
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", origins)
middleware.setup_cors_middleware(app)
client = TestClient(app)

# Origin without path should work
response = client.get("/test", headers={"Origin": "http://localhost:3000"})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") == "http://localhost:3000"

# Origins with paths should not work
response = client.get("/test", headers={"Origin": "http://example.com/api"})
assert response.headers.get("access-control-allow-origin") != "http://example.com/api"


def test_cors_middleware_empty_origins_string(app, clean_env, monkeypatch, caplog):
"""Test behavior when TANGLE_CORS_ALLOWED_ORIGINS is set to empty string."""
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", "")
middleware.setup_cors_middleware(app)

# Should log warning about no valid origins
assert "No valid CORS origins found" in caplog.text


def test_cors_middleware_allows_credentials(app, clean_env, monkeypatch):
"""Test that CORS middleware is configured to allow credentials."""
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", "http://localhost:3000")
middleware.setup_cors_middleware(app)
client = TestClient(app)

response = client.get("/test", headers={"Origin": "http://localhost:3000"})
assert response.status_code == 200
# FastAPI's CORSMiddleware should set this header
assert "access-control-allow-credentials" in response.headers


def test_cors_middleware_allows_all_methods_and_headers(app, clean_env, monkeypatch):
"""Test that CORS middleware allows all methods and headers."""
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", "http://localhost:3000")
middleware.setup_cors_middleware(app)
client = TestClient(app)

# Preflight request
response = client.options(
"/test",
headers={
"Origin": "http://localhost:3000",
"Access-Control-Request-Method": "POST",
"Access-Control-Request-Headers": "X-Custom-Header",
},
)

assert response.status_code == 200
assert "access-control-allow-methods" in response.headers
assert "access-control-allow-headers" in response.headers


def test_is_valid_origin_helper():
"""Test the _is_valid_origin helper function directly."""
# Valid origins
assert middleware._is_valid_origin("http://localhost:3000") == True
assert middleware._is_valid_origin("https://example.com") == True
assert middleware._is_valid_origin("http://127.0.0.1:8080") == True
assert middleware._is_valid_origin("https://subdomain.example.com:443") == True

# Invalid origins - no scheme
assert middleware._is_valid_origin("localhost:3000") == False
assert middleware._is_valid_origin("example.com") == False

# Invalid origins - wrong scheme
assert middleware._is_valid_origin("ftp://example.com") == False
assert middleware._is_valid_origin("ws://example.com") == False
assert middleware._is_valid_origin("file:///path/to/file") == False

# Invalid origins - has path
assert middleware._is_valid_origin("http://example.com/api") == False
assert middleware._is_valid_origin("https://example.com/path/to/resource") == False

# Invalid origins - malformed
assert middleware._is_valid_origin("not-a-url") == False
assert middleware._is_valid_origin("http://") == False
assert middleware._is_valid_origin("") == False


def test_setup_cors_middleware_integration(app, clean_env, monkeypatch):
"""Test that setup_cors_middleware works end-to-end."""
monkeypatch.setenv("TANGLE_CORS_ALLOWED_ORIGINS", "http://localhost:3000")

# Call setup_cors_middleware
middleware.setup_cors_middleware(app)
client = TestClient(app)

# Verify CORS is working
response = client.get("/test", headers={"Origin": "http://localhost:3000"})
assert response.status_code == 200
assert response.headers.get("access-control-allow-origin") == "http://localhost:3000"


if __name__ == "__main__":
pytest.main([__file__, "-v"])