Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CORS setup #1782

Closed
wants to merge 1 commit into from
Closed

Conversation

mattgotteiner
Copy link
Collaborator

Purpose

  • Issue CORS blocking redirect on app services logout #1780 indicated something was wrong with the CORS configuration
  • ALLOWED_ORIGIN was not set properly so the app backend couldn't respond to cross-origin requests that are allowed
  • Fix setting of ALLOWED_ORIGIN in bicep

Does this introduce a breaking change?

When developers merge from main and run the server, azd up, or azd deploy, will this produce an error?
If you're not sure, try it out on an old environment.

[ ] Yes
[X] No

Does this require changes to learn.microsoft.com docs?

This repository is referenced by this tutorial
which includes deployment, settings and usage instructions. If text or screenshot need to change in the tutorial,
check the box below and notify the tutorial author. A Microsoft employee can do this for you if you're an external contributor.

[ ] Yes
[X] No

Type of change

[X] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

@pamelafox
Copy link
Collaborator

mypy eek

@@ -283,7 +293,7 @@ module backend 'core/host/appservice.bicep' = {
managedIdentity: true
virtualNetworkSubnetId: isolation.outputs.appSubnetId
publicNetworkAccess: publicNetworkAccess
allowedOrigins: [ allowedOrigin ]
allowedOrigins: allowedOrigins
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this always end up allowing origins even if they don't enable user auth? I dont see a conditional that makes it empty in that case. But maybe my eyes have glazed over.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe we always allowed them anyway?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

allowedOrigin should be empty if they don't enable user auth. I will double check this, good catch

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this is an interesting case

  1. We were never enabling the portal origins before due to a bug
  2. So unless they explicitly specified an allowed origin, we never enabled cors

My thought is that we want to only add in the portal / login origins if auth is enabled, otherwise just pick the origins they added. I'll make this adjustment

allowed_origin = allowed_origin.split(";")
if len(allowed_origin) > 0:
app.logger.info("CORS enabled for %s", allowed_origin)
cors(app, allow_origin=allowed_origin, allow_methods=["GET", "POST"])
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do need to allow credentials

@mattgotteiner
Copy link
Collaborator Author

Pulled into #2205

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants