From ea43f6ac20aea9f7f786de69f4adb31bb1ea3df1 Mon Sep 17 00:00:00 2001
From: Francis Tembo <francistembo92@gmail.com>
Date: Wed, 15 Jan 2025 16:06:02 +0100
Subject: [PATCH 1/3] added CORS middleware configuration

---
 app/main.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/app/main.py b/app/main.py
index 11c03fb..0c7ad76 100644
--- a/app/main.py
+++ b/app/main.py
@@ -3,6 +3,7 @@
 from fastapi.responses import HTMLResponse
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
+from fastapi.middleware.cors import CORSMiddleware
 
 from typing import Annotated
 from uuid import UUID
@@ -33,6 +34,14 @@
 
 app = FastAPI()
 
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],
+    allow_credentials=True,
+    allow_methods=["GET", "POST", "PUT", "DELETE"],
+    allow_headers=["*"],
+)
+
 app.include_router(author.router)
 app.include_router(output.router)
 app.include_router(country.router)

From 891bac4d47a41a8dcd629d77d5f614273d4b7fbf Mon Sep 17 00:00:00 2001
From: Francis Tembo <francistembo92@gmail.com>
Date: Fri, 17 Jan 2025 10:52:53 +0100
Subject: [PATCH 2/3] disable CORS allow_credentials because of wildcard origin

---
 app/main.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/main.py b/app/main.py
index 0c7ad76..9bb53cd 100644
--- a/app/main.py
+++ b/app/main.py
@@ -37,10 +37,10 @@
 app.add_middleware(
     CORSMiddleware,
     allow_origins=["*"],
-    allow_credentials=True,
+    allow_credentials=False,
     allow_methods=["GET", "POST", "PUT", "DELETE"],
-    allow_headers=["*"],
-)
+    allow_headers=["*"]
+    )
 
 app.include_router(author.router)
 app.include_router(output.router)

From 4c39ee95af940fb69103af406d43495d4ebf9a2d Mon Sep 17 00:00:00 2001
From: Francis Tembo <francistembo92@gmail.com>
Date: Fri, 17 Jan 2025 10:54:08 +0100
Subject: [PATCH 3/3] added CORS test

---
 app/test_main.py | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/app/test_main.py b/app/test_main.py
index 048f240..72b4666 100644
--- a/app/test_main.py
+++ b/app/test_main.py
@@ -143,3 +143,30 @@ def test_workstream_error_on_not_exist(self):
         """
         response = client.get("/api/workstreams/XXX")
         assert response.status_code == 404
+
+class TestCORS:
+    def test_cors_preflight(self):
+        response = client.options("/api/authors", headers={
+            "Origin": "http://localhost:3000",
+            "Access-Control-Request-Method": "GET",
+            "Access-Control-Request-Headers": "Content-Type"
+        })
+        assert response.status_code == 200
+        assert response.headers["access-control-allow-origin"] == "*"
+        assert "GET" in response.headers["access-control-allow-methods"]
+
+    def test_cors_headers_on_response(self):
+        response = client.get("/api/authors", headers={
+            "Origin": "http://localhost:3000"
+        })
+        assert response.status_code == 200
+        assert response.headers["access-control-allow-origin"] == "*"
+
+    def test_cors_credentials(self):
+        response = client.options("/api/authors", headers={
+            "Origin": "http://localhost:3000",
+            "Access-Control-Request-Method": "GET",
+            "Access-Control-Request-Headers": "Content-Type, Authorization"
+        })
+        assert response.status_code == 200
+        assert "authorization" in response.headers["access-control-allow-headers"].lower()
\ No newline at end of file