From 0f89e21611f0caf6c5ff277c080c9ddc792c517a Mon Sep 17 00:00:00 2001 From: Oliver Date: Thu, 7 Mar 2024 08:15:05 +1100 Subject: [PATCH] In debug mode, allow CORS from localhost origins (#6650) * In debug mode, allow CORS from localhost origins - Should allow more reliable connection from the vite frontend dev server * Allow regex pattern to be specified externally * Update docs --- InvenTree/InvenTree/settings.py | 14 +++++++++++++- docs/docs/start/config.md | 1 + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/InvenTree/InvenTree/settings.py b/InvenTree/InvenTree/settings.py index 83947e6d52..ad6f59271b 100644 --- a/InvenTree/InvenTree/settings.py +++ b/InvenTree/InvenTree/settings.py @@ -1022,7 +1022,7 @@ CORS_ALLOW_CREDENTIALS = get_boolean_setting( default_value=True, ) -# Only allow CORS access to API and media endpoints +# Only allow CORS access to the following URL endpoints CORS_URLS_REGEX = r'^/(api|media|static)/.*$' CORS_ALLOWED_ORIGINS = get_setting( @@ -1036,6 +1036,18 @@ CORS_ALLOWED_ORIGINS = get_setting( if SITE_URL and SITE_URL not in CORS_ALLOWED_ORIGINS: CORS_ALLOWED_ORIGINS.append(SITE_URL) +CORS_ALLOWED_ORIGIN_REGEXES = get_setting( + 'INVENTREE_CORS_ORIGIN_REGEX', + config_key='cors.regex', + default_value=[], + typecast=list, +) + +# In debug mode allow CORS requests from localhost +# This allows connection from the frontend development server +if DEBUG: + CORS_ALLOWED_ORIGIN_REGEXES.append(r'^http://localhost:\d+$') + for app in SOCIAL_BACKENDS: # Ensure that the app starts with 'allauth.socialaccount.providers' social_prefix = 'allauth.socialaccount.providers.' diff --git a/docs/docs/start/config.md b/docs/docs/start/config.md index 1647e6fd38..799222e4dc 100644 --- a/docs/docs/start/config.md +++ b/docs/docs/start/config.md @@ -81,6 +81,7 @@ Depending on how your InvenTree installation is configured, you will need to pay | INVENTREE_TRUSTED_ORIGINS | trusted_origins | List of trusted origins. Refer to the [django documentation]({% include "django.html" %}/ref/settings/#csrf-trusted-origins) | Uses the *INVENTREE_SITE_URL* parameter, if set. Otherwise, an empty list. | | INVENTREE_CORS_ORIGIN_ALLOW_ALL | cors.allow_all | Allow all remote URLS for CORS checks | False | | INVENTREE_CORS_ORIGIN_WHITELIST | cors.whitelist | List of whitelisted CORS URLs. Refer to the [django-cors-headers documentation](https://github.com/adamchainz/django-cors-headers#cors_allowed_origins-sequencestr) | Uses the *INVENTREE_SITE_URL* parameter, if set. Otherwise, an empty list. | +| INVENTREE_CORS_ORIGIN_REGEX | cors.regex | List of regular expressions for CORS whitelisted URL patterns | *Empty list* | | INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | False | | INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | False | | INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | True |