Merge pull request #21105 from mvdbeek/fix_cors_on_exceptions

[25.1] Test and fix CORS on exceptions

Author: mvdbeek

lib/galaxy/tool_util/verify/interactor.py

@@ -982,6 +982,22 @@ def _post(
         kwd["timeout"] = kwd.pop("timeout", util.DEFAULT_SOCKET_TIMEOUT)
         return requests.post(url, **kwd)
 
+    def _options(
+        self,
+        path: str,
+        data: Optional[Dict[str, Any]] = None,
+        key: Optional[str] = None,
+        headers: Optional[Dict[str, Optional[str]]] = None,
+        admin: bool = False,
+        anon: bool = False,
+        json: bool = False,
+    ) -> Response:
+        headers = self.api_key_header(key=key, admin=admin, anon=anon, headers=headers)
+        url = self.get_api_url(path)
+        kwd = self._prepare_request_params(data=data, as_json=json, headers=headers)
+        kwd["timeout"] = kwd.pop("timeout", util.DEFAULT_SOCKET_TIMEOUT)
+        return requests.options(url, **kwd)
+
     def _delete(self, path, data=None, key=None, headers=None, admin=False, anon=False, json=False, params=None):
         headers = self.api_key_header(key=key, admin=admin, anon=anon, headers=headers)
         url = self.get_api_url(path)

lib/galaxy/util/requests.py

@@ -39,6 +39,7 @@ def wrapper(*args: Param.args, **kwargs: Param.kwargs) -> RetType:
 head = default_user_agent_decorator(requests.head)
 patch = default_user_agent_decorator(requests.patch)
 post = default_user_agent_decorator(requests.post)
+options = default_user_agent_decorator(requests.options)
 put = default_user_agent_decorator(requests.put)
 session = default_user_agent_decorator(requests.session)
 Session = default_user_agent_decorator(requests.Session)

lib/galaxy/webapps/galaxy/api/__init__.py

@@ -548,7 +548,21 @@ def get_route_handler(self) -> Callable:
         original_route_handler = super().get_route_handler()
 
         async def custom_route_handler(request: Request) -> Response:
-            response: Response = await original_route_handler(request)
+            try:
+                response: Response = await original_route_handler(request)
+            except Exception as exc:
+                # Find and use FastAPI's exception handler
+                handler = None
+                for exc_class, exc_handler in request.app.exception_handlers.items():
+                    if isinstance(exc, exc_class):
+                        handler = exc_handler
+                        break
+
+                if handler is None:
+                    raise exc
+
+                # Call the handler - it's already a callable that takes (request, exc)
+                response = await handler(request, exc)
             response.headers["Access-Control-Allow-Origin"] = request.headers.get("Origin", "*")
             response.headers["Access-Control-Max-Age"] = "600"
             return response

lib/galaxy_test/api/test_landing.py

@@ -162,6 +162,30 @@ def test_create_private_workflow_landing_authenticated_user(self):
         _cannot_claim_request(self.dataset_populator, response)
         _cannot_use_request(self.dataset_populator, response)
 
+    def test_invalid_workflow_landing_creation_cors(self):
+        request = _get_simple_landing_payload(self.workflow_populator, public=True).model_dump()
+        # Make payload invalid.
+        request.pop("workflow_id")
+        cors_headers = {"Access-Control-Request-Method": "POST", "Origin": "https://foo.example"}
+        response = self._options(
+            "workflow_landings",
+            data=request,
+            headers=cors_headers,
+            json=True,
+        )
+        # CORS preflight request should succeed, doesn't matter that the payload is invalid
+        assert response.status_code == 200
+        assert response.headers["Access-Control-Allow-Origin"] == "https://foo.example"
+        response = self._post(
+            "workflow_landings",
+            data=request,
+            headers=cors_headers,
+            json=True,
+        )
+        assert response.status_code == 400
+        assert response.headers["Access-Control-Allow-Origin"] == "https://foo.example"
+        assert "Field required" in response.json()["err_msg"]
+
     @skip_without_tool("cat1")
     def test_create_private_workflow_landing_anonymous_user(self):
         request = _get_simple_landing_payload(self.workflow_populator, public=False)

lib/galaxy_test/base/api.py

@@ -183,6 +183,9 @@ def _head(self, *args, **kwds):
     def _post(self, *args, **kwds):
         return self.galaxy_interactor.post(*args, **kwds)
 
+    def _options(self, *args, **kwds):
+        return self.galaxy_interactor.options(*args, **kwds)
+
     def _delete(self, *args, **kwds):
         return self.galaxy_interactor.delete(*args, **kwds)
 
@@ -237,6 +240,9 @@ def head(self, *args, **kwds):
     def post(self, *args, **kwds):
         return self._post(*args, **kwds)
 
+    def options(self, *args, **kwds):
+        return self._options(*args, **kwds)
+
     def delete(self, *args, **kwds):
         return self._delete(*args, **kwds)