Activation de CORS pour l'accès à l'API :

* accès total en mode développement * accès restreint à l'URL /api en mode production
2017-09-07 18:27:10 +02:00
parent ea2d3d0c43
commit 8847c351c1
7 changed files with 20 additions and 2 deletions
--- a/collection/collection/components/api.py
+++ b/collection/collection/components/api.py
@ -6,3 +6,12 @@ REST_FRAMEWORK = {
    'TEST_REQUEST_DEFAULT_FORMAT': 'json',
    'UNICODE_JSON': True,
 }
+
+# CORS
+CORS_ORIGIN_ALLOW_ALL = False  # disallow all website for cross site requests
+
+# Authorized website for cross site requests
+CORS_ORIGIN_WHITELIST = (
+    'localhost:8000',
+    '127.0.0.1:8000'
+)
--- a/collection/collection/components/common.py
+++ b/collection/collection/components/common.py
@ -27,6 +27,7 @@ INSTALLED_APPS = [
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rest_framework',
+    'corsheaders',
    'core',
    'games.apps.GamesConfig',
 ]
@ -35,6 +36,7 @@ MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.locale.LocaleMiddleware',
+    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
--- a/collection/collection/environments/development.py
+++ b/collection/collection/environments/development.py
@ -7,5 +7,7 @@ SECRET_KEY = 'tqma23#v!#ecse_gz_u(1oa6+x%1uyi718an9%nefqhi$0q_eg'
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True

-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ['*']

+# CORS: allow all site to make cross site requests
+CORS_ORIGIN_ALLOW_ALL = True
--- a/collection/collection/environments/production.py
+++ b/collection/collection/environments/production.py
@ -14,3 +14,6 @@ ALLOWED_HOSTS = [os.getenv('ALLOWED_HOSTS', '*')]
 # - if you use a proxy like Nginx, you need to add this line into config:
 #   `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
 USE_X_FORWARDED_HOST = True
+
+# CORS: as we only need to acces API, a regular expression is enough
+CORS_URLS_REGEX = r'^/api/.*$'
--- a/collection/collection/settings.py
+++ b/collection/collection/settings.py
@ -18,7 +18,7 @@ base_settings = [
    'components/common.py',  # standard django settings
    'components/database.py',  # SQLite 3
    'components/i18n.py',  # Internationalisation and localization
-    'components/api.py',  # API (django rest framework)
+    'components/api.py',  # API (django rest framework) + CORS

    # Select the right env:
    'environments/%s.py' % ENV,