enable CORS on /api endpoints

2020-06-24 10:30:01 +02:00 · 2020-06-24 10:30:01 +02:00 · 774ffcae3b
parent 85bb30abb0
commit 774ffcae3b
11 changed files with 6 additions and 46 deletions
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@ -1,7 +1,6 @@
 from flask import g
 from flask import jsonify
 from flask import request
-from flask_cors import cross_origin

 from app import alias_utils
 from app.api.base import api_bp, require_api_auth
@ -25,7 +24,6 @@ from app.utils import random_string


@api_bp.route("/aliases", methods=["GET", "POST"])
-@cross_origin()
@require_api_auth
 def get_aliases():
    """
@ -68,7 +66,6 @@ def get_aliases():


@api_bp.route("/v2/aliases", methods=["GET", "POST"])
-@cross_origin()
@require_api_auth
 def get_aliases_v2():
    """
@ -121,7 +118,6 @@ def get_aliases_v2():


@api_bp.route("/aliases/<int:alias_id>", methods=["DELETE"])
-@cross_origin()
@require_api_auth
 def delete_alias(alias_id):
    """
@ -144,7 +140,6 @@ def delete_alias(alias_id):


@api_bp.route("/aliases/<int:alias_id>/toggle", methods=["POST"])
-@cross_origin()
@require_api_auth
 def toggle_alias(alias_id):
    """
@ -170,7 +165,6 @@ def toggle_alias(alias_id):


@api_bp.route("/aliases/<int:alias_id>/activities")
-@cross_origin()
@require_api_auth
 def get_alias_activities(alias_id):
    """
@ -226,7 +220,6 @@ def get_alias_activities(alias_id):


@api_bp.route("/aliases/<int:alias_id>", methods=["PUT"])
-@cross_origin()
@require_api_auth
 def update_alias(alias_id):
    """
@ -310,7 +303,6 @@ def update_alias(alias_id):


@api_bp.route("/aliases/<int:alias_id>", methods=["GET"])
-@cross_origin()
@require_api_auth
 def get_alias(alias_id):
    """
@ -334,7 +326,6 @@ def get_alias(alias_id):


@api_bp.route("/aliases/<int:alias_id>/contacts")
-@cross_origin()
@require_api_auth
 def get_alias_contacts_route(alias_id):
    """
@ -368,7 +359,6 @@ def get_alias_contacts_route(alias_id):


@api_bp.route("/aliases/<int:alias_id>/contacts", methods=["POST"])
-@cross_origin()
@require_api_auth
 def create_contact_route(alias_id):
    """
@ -423,7 +413,6 @@ def create_contact_route(alias_id):


@api_bp.route("/contacts/<int:contact_id>", methods=["DELETE"])
-@cross_origin()
@require_api_auth
 def delete_contact(contact_id):
    """
--- a/app/api/views/alias_options.py
+++ b/app/api/views/alias_options.py
@ -1,5 +1,4 @@
 from flask import jsonify, request, g
-from flask_cors import cross_origin
 from sqlalchemy import desc

 from app.api.base import api_bp, require_api_auth
@ -12,7 +11,6 @@ from app.utils import convert_to_id, random_word


@api_bp.route("/alias/options")
-@cross_origin()
@require_api_auth
 def options():
    """
@ -88,7 +86,6 @@ def options():


@api_bp.route("/v2/alias/options")
-@cross_origin()
@require_api_auth
 def options_v2():
    """
@ -169,7 +166,6 @@ def options_v2():


@api_bp.route("/v3/alias/options")
-@cross_origin()
@require_api_auth
 def options_v3():
    """
@ -246,7 +242,6 @@ def options_v3():


@api_bp.route("/v4/alias/options")
-@cross_origin()
@require_api_auth
 def options_v4():
    """
--- a/app/api/views/apple.py
+++ b/app/api/views/apple.py
@ -5,7 +5,6 @@ import requests
 from flask import g
 from flask import jsonify
 from flask import request
-from flask_cors import cross_origin

 from app.api.base import api_bp, require_api_auth
 from app.config import APPLE_API_SECRET, MACAPP_APPLE_API_SECRET
@ -25,7 +24,6 @@ _PROD_URL = "https://buy.itunes.apple.com/verifyReceipt"


@api_bp.route("/apple/process_payment", methods=["POST"])
-@cross_origin()
@require_api_auth
 def apple_process_payment():
    """
--- a/app/api/views/auth.py
+++ b/app/api/views/auth.py
@ -1,9 +1,9 @@
+import random
+
 import facebook
 import google.oauth2.credentials
 import googleapiclient.discovery
-import random
 from flask import jsonify, request, g
-from flask_cors import cross_origin
 from itsdangerous import Signer

 from app import email_utils
@ -22,7 +22,6 @@ from app.models import User, ApiKey, SocialAuth, AccountActivation


@api_bp.route("/auth/login", methods=["POST"])
-@cross_origin()
@limiter.limit(
    "10/minute", deduct_when=lambda r: hasattr(g, "deduct_limit") and g.deduct_limit
 )
@ -68,7 +67,6 @@ def auth_login():


@api_bp.route("/auth/register", methods=["POST"])
-@cross_origin()
 def auth_register():
    """
    User signs up - will need to activate their account with an activation code.
@ -116,7 +114,6 @@ def auth_register():


@api_bp.route("/auth/activate", methods=["POST"])
-@cross_origin()
@limiter.limit(
    "10/minute", deduct_when=lambda r: hasattr(g, "deduct_limit") and g.deduct_limit
 )
@ -176,7 +173,6 @@ def auth_activate():


@api_bp.route("/auth/reactivate", methods=["POST"])
-@cross_origin()
 def auth_reactivate():
    """
    User asks for another activation code
@ -218,7 +214,6 @@ def auth_reactivate():


@api_bp.route("/auth/facebook", methods=["POST"])
-@cross_origin()
 def auth_facebook():
    """
    Authenticate user with Facebook
@ -269,7 +264,6 @@ def auth_facebook():


@api_bp.route("/auth/google", methods=["POST"])
-@cross_origin()
 def auth_google():
    """
    Authenticate user with Facebook
@ -343,7 +337,6 @@ def auth_payload(user, device) -> dict:


@api_bp.route("/auth/forgot_password", methods=["POST"])
-@cross_origin()
 def forgot_password():
    """
    User forgot password
--- a/app/api/views/auth_mfa.py
+++ b/app/api/views/auth_mfa.py
@ -1,6 +1,5 @@
 import pyotp
 from flask import jsonify, request
-from flask_cors import cross_origin
 from itsdangerous import Signer

 from app.api.base import api_bp
@ -11,7 +10,6 @@ from app.models import User, ApiKey


@api_bp.route("/auth/mfa", methods=["POST"])
-@cross_origin()
 def auth_mfa():
    """
    Validate the OTP Token
--- a/app/api/views/mailbox.py
+++ b/app/api/views/mailbox.py
@ -3,7 +3,6 @@ from smtplib import SMTPRecipientsRefused
 from flask import g
 from flask import jsonify
 from flask import request
-from flask_cors import cross_origin

 from app.api.base import api_bp, require_api_auth
 from app.dashboard.views.mailbox import send_verification_email
@ -17,7 +16,6 @@ from app.models import Mailbox


@api_bp.route("/mailboxes", methods=["POST"])
-@cross_origin()
@require_api_auth
 def create_mailbox():
    """
@ -62,7 +60,6 @@ def create_mailbox():


@api_bp.route("/mailboxes/<mailbox_id>", methods=["DELETE"])
-@cross_origin()
@require_api_auth
 def delete_mailbox(mailbox_id):
    """
@ -89,7 +86,6 @@ def delete_mailbox(mailbox_id):


@api_bp.route("/mailboxes/<mailbox_id>", methods=["PUT"])
-@cross_origin()
@require_api_auth
 def update_mailbox(mailbox_id):
    """
@ -152,7 +148,6 @@ def update_mailbox(mailbox_id):


@api_bp.route("/mailboxes", methods=["GET"])
-@cross_origin()
@require_api_auth
 def get_mailboxes():
    """
--- a/app/api/views/new_custom_alias.py
+++ b/app/api/views/new_custom_alias.py
@ -1,6 +1,5 @@
 from flask import g
 from flask import jsonify, request
-from flask_cors import cross_origin
 from itsdangerous import SignatureExpired

 from app.api.base import api_bp, require_api_auth
@ -28,7 +27,6 @@ from app.utils import convert_to_id


@api_bp.route("/alias/custom/new", methods=["POST"])
-@cross_origin()
@require_api_auth
 def new_custom_alias():
    """
@ -99,7 +97,6 @@ def new_custom_alias():


@api_bp.route("/v2/alias/custom/new", methods=["POST"])
-@cross_origin()
@require_api_auth
 def new_custom_alias_v2():
    """
@ -194,7 +191,6 @@ def new_custom_alias_v2():


@api_bp.route("/v3/alias/custom/new", methods=["POST"])
-@cross_origin()
@require_api_auth
 def new_custom_alias_v3():
    """
--- a/app/api/views/new_random_alias.py
+++ b/app/api/views/new_random_alias.py
@ -1,6 +1,5 @@
 from flask import g
 from flask import jsonify, request
-from flask_cors import cross_origin

 from app.api.base import api_bp, require_api_auth
 from app.api.serializer import (
@ -14,7 +13,6 @@ from app.models import Alias, AliasUsedOn, AliasGeneratorEnum


@api_bp.route("/alias/random/new", methods=["POST"])
-@cross_origin()
@require_api_auth
 def new_random_alias():
    """
--- a/app/api/views/notification.py
+++ b/app/api/views/notification.py
@ -1,7 +1,6 @@
 from flask import g
 from flask import jsonify
 from flask import request
-from flask_cors import cross_origin

 from app.api.base import api_bp, require_api_auth
 from app.config import PAGE_LIMIT
@ -10,7 +9,6 @@ from app.models import Notification


@api_bp.route("/notifications", methods=["GET"])
-@cross_origin()
@require_api_auth
 def get_notifications():
    """
@ -61,7 +59,6 @@ def get_notifications():


@api_bp.route("/notifications/<notification_id>/read", methods=["POST"])
-@cross_origin()
@require_api_auth
 def mark_as_read(notification_id):
    """
--- a/app/api/views/user_info.py
+++ b/app/api/views/user_info.py
@ -1,11 +1,9 @@
 from flask import jsonify, g
-from flask_cors import cross_origin

 from app.api.base import api_bp, require_api_auth


@api_bp.route("/user_info")
-@cross_origin()
@require_api_auth
 def user_info():
    """
--- a/server.py
+++ b/server.py
@ -5,7 +5,7 @@ import sentry_sdk
 import ssl
 from flask import Flask, redirect, url_for, render_template, request, jsonify, flash
 from flask_admin import Admin
-from flask_cors import cross_origin
+from flask_cors import cross_origin, CORS
 from flask_login import current_user
 from sentry_sdk.integrations.aiohttp import AioHttpIntegration
 from sentry_sdk.integrations.flask import FlaskIntegration
@ -122,6 +122,9 @@ def create_app() -> Flask:
        }
        flask_profiler.init_app(app)

+    # enable CORS on /api endpoints
+    cors = CORS(app, resources={r"/api/*": {"origins": "*"}})
+
    return app