Update CORS middleware and tests

rcmurphy · rcmurphy · commit 30cad87d0e78 · 2022-05-04T17:01:22.000Z
diff --git a/oauth2_provider/middleware.py b/oauth2_provider/middleware.py
@@ -2,7 +2,7 @@
 from django.contrib.auth import authenticate
 from django.utils.cache import patch_vary_headers
 
-from .models import Application
+from .models import AbstractApplication, Application
 
 
 class OAuth2TokenMiddleware:
@@ -45,18 +45,22 @@ def __call__(self, request):
 METHODS = ("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS")
 
 
-class CorsMiddleware(object):
-    def process_request(self, request):
+class CorsMiddleware:
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
         """If this is a preflight-request, we must always return 200"""
         if request.method == "OPTIONS" and "HTTP_ACCESS_CONTROL_REQUEST_METHOD" in request.META:
-            return http.HttpResponse()
-        return None
+            response = http.HttpResponse()
+        else:
+            response = self.get_response(request)
 
-    def process_response(self, request, response):
         """Add cors-headers to request if they can be derived correctly"""
         try:
             cors_allow_origin = _get_cors_allow_origin_header(request)
-        except Application.NoSuitableOriginFoundError:
+        except AbstractApplication.NoSuitableOriginFoundError:
             pass
         else:
             response["Access-Control-Allow-Origin"] = cors_allow_origin
diff --git a/oauth2_provider/models.py b/oauth2_provider/models.py
@@ -221,6 +221,21 @@ def get_allowed_schemes(self):
         """
         return oauth2_settings.ALLOWED_REDIRECT_URI_SCHEMES
 
+    def get_cors_header(self, origin):
+        '''Return a proper cors-header for this origin, in the context of this
+        application.
+        :param origin: Origin-url from HTTP-request.
+        :raises: Application.NoSuitableOriginFoundError
+        '''
+        parsed_origin = urlparse(origin)
+        for allowed_uri in self.redirect_uris.split():
+            parsed_allowed_uri = urlparse(allowed_uri)
+            if (parsed_allowed_uri.scheme == parsed_origin.scheme and
+                    parsed_allowed_uri.netloc == parsed_origin.netloc and
+                    parsed_allowed_uri.port == parsed_origin.port):
+                return origin
+        raise AbstractApplication.NoSuitableOriginFoundError
+
     def allows_grant_type(self, *grant_types):
         return self.authorization_grant_type in grant_types
 
@@ -243,6 +258,9 @@ def jwk_key(self):
         raise ImproperlyConfigured("This application does not support signed tokens")
 
 
+    class NoSuitableOriginFoundError(Exception):
+        pass
+
 class ApplicationManager(models.Manager):
     def get_by_natural_key(self, client_id):
         return self.get(client_id=client_id)
diff --git a/tests/mig_settings.py b/tests/mig_settings.py
@@ -42,6 +42,7 @@
 ]
 
 MIDDLEWARE = [
+    "oauth2_provider.middleware.CorsMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
diff --git a/tests/settings.py b/tests/settings.py
@@ -63,6 +63,7 @@
 ]
 
 MIDDLEWARE = (
+    "oauth2_provider.middleware.CorsMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
diff --git a/tests/test_cors_middleware.py b/tests/test_cors_middleware.py
@@ -1,11 +1,8 @@
 from datetime import timedelta
 
-from django.conf.urls import patterns, url
 from django.contrib.auth import get_user_model
-from django.http import HttpResponse
 from django.test import Client, TestCase, override_settings
 from django.utils import timezone
-from django.views.generic import View
 
 from oauth2_provider.models import AccessToken, get_application_model
 
@@ -14,19 +11,7 @@
 UserModel = get_user_model()
 
 
-class MockView(View):
-    def post(self, request):
-        return HttpResponse()
-
-
-urlpatterns = patterns(
-    "",
-    url(r"^cors-test/$", MockView.as_view()),
-)
-
-
 @override_settings(
-    ROOT_URLCONF="oauth2_provider.tests.test_cors_middleware",
     AUTHENTICATION_BACKENDS=("oauth2_provider.backends.OAuth2Backend",),
     MIDDLEWARE_CLASSES=(
         "oauth2_provider.middleware.OAuth2TokenMiddleware",
diff --git a/tests/urls.py b/tests/urls.py
@@ -1,5 +1,6 @@
 from django.contrib import admin
 from django.urls import include, path
+from .views import MockView
 
 
 admin.autodiscover()
@@ -8,4 +9,5 @@
 urlpatterns = [
     path("o/", include("oauth2_provider.urls", namespace="oauth2_provider")),
     path("admin/", admin.site.urls),
+    path("cors-test/", MockView.as_view()),
 ]

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@`
`42`	`42`	`]`
`43`	`43`
`44`	`44`	`MIDDLEWARE = [`
	`45`	`+ "oauth2_provider.middleware.CorsMiddleware",`
`45`	`46`	`"django.middleware.security.SecurityMiddleware",`
`46`	`47`	`"django.contrib.sessions.middleware.SessionMiddleware",`
`47`	`48`	`"django.middleware.common.CommonMiddleware",`
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@`
`63`	`63`	`]`
`64`	`64`
`65`	`65`	`MIDDLEWARE = (`
	`66`	`+ "oauth2_provider.middleware.CorsMiddleware",`
`66`	`67`	`"django.middleware.common.CommonMiddleware",`
`67`	`68`	`"django.contrib.sessions.middleware.SessionMiddleware",`
`68`	`69`	`"django.middleware.csrf.CsrfViewMiddleware",`