From e924b5ece57bf6ab2f3422f819fe8fc0d6bb301b Mon Sep 17 00:00:00 2001
From: Rohan Weeden <reweeden@alaska.edu>
Date: Tue, 19 Mar 2024 15:02:48 -0400
Subject: [PATCH] Add debug logging

---
 tests_e2e/test_cors.py | 10 ++++++----
 thin_egress_app/app.py | 15 ++++++++++++++-
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/tests_e2e/test_cors.py b/tests_e2e/test_cors.py
index 2d977ccf..61cd5791 100644
--- a/tests_e2e/test_cors.py
+++ b/tests_e2e/test_cors.py
@@ -51,8 +51,9 @@ def test_cors_preflight_options(urls, auth_cookies):
     headers = dict(r.headers)
 
     assert r.status_code == 204
-    assert headers.get("Access-Control-Allow-Origin") == origin_host
-    assert "GET" in headers.get("Access-Control-Allow-Methods")
+    assert headers["Access-Control-Allow-Origin"] == origin_host
+    assert set(headers["Access-Control-Allow-Methods"].split(", ")) >= {"GET", "HEAD", "OPTIONS"}
+    assert set(headers["Access-Control-Allow-Headers"].split(", ")) >= {"Authorization", "Origin"}
 
 
 def test_cors_preflight_options_origin_null(urls, auth_cookies):
@@ -71,5 +72,6 @@ def test_cors_preflight_options_origin_null(urls, auth_cookies):
     headers = dict(r.headers)
 
     assert r.status_code == 204
-    assert headers.get("Access-Control-Allow-Origin") == "null"
-    assert "GET" in headers.get("Access-Control-Allow-Methods")
+    assert headers["Access-Control-Allow-Origin"] == "null"
+    assert set(headers["Access-Control-Allow-Methods"].split(", ")) >= {"GET", "HEAD", "OPTIONS"}
+    assert set(headers["Access-Control-Allow-Headers"].split(", ")) >= {"Authorization", "Origin"}
diff --git a/thin_egress_app/app.py b/thin_egress_app/app.py
index 88642e1b..11e5e0e9 100644
--- a/thin_egress_app/app.py
+++ b/thin_egress_app/app.py
@@ -478,6 +478,7 @@ def is_cors_allowed():
     origin_header = app.current_request.headers.get("origin")
     cors_origin = os.getenv("CORS_ORIGIN")
 
+    log.debug("origin_header: %r, cors_origin: %r", origin_header, cors_origin)
     return bool(
         origin_header
         and cors_origin
@@ -966,21 +967,33 @@ def dynamic_url_options():
         "HEAD",
         "OPTIONS",
     ]
+    allowed_headers = [
+        "Authorization",
+        "Origin",
+        "X-Requested-With",
+    ]
     request_method = app.current_request.headers.get(
         "Access-Control-Request-Method",
         "",
     ).strip()
+    log.info("Received CORS preflight request for method: %r", request_method)
+
+    log.debug("is_cors_allowed: %s", is_cors_allowed())
+    log.debug("request_method in allowed_methods: %s", request_method in allowed_methods)
     if is_cors_allowed() and request_method in allowed_methods:
         headers = {
-            "Access-Control-Allow-Methods": ", ".join(allowed_methods)
+            "Access-Control-Allow-Methods": ", ".join(allowed_methods),
+            "Access-Control-Allow-Headers": ", ".join(allowed_headers),
         }
         add_cors_headers(headers)
+        log.info("Returning success response")
         return Response(
             body="",
             headers=headers,
             status_code=204,
         )
 
+    log.info("Returning error response")
     return Response(
         body="Method Not Allowed",
         status_code=405,