2

I'm trying to use flask-cors(3.0.8) with flask-restplus(0.13.0), allowing some origins and denying the others, but the cors doesn't deny any cross origin request.

My architecture is disposed in a way that use 3 files to initialize my app:

1. app/__init__py (declaring my blueprint)

from flask_restplus import Api
from flask import Blueprint
...

BLUEPRINT = Blueprint("api", __name__)
API = Api(BLUEPRINT)
...

2. app/main/__init__.py (with my create_app function, with CORS)

...

def create_app()
  app = Flask(__name__)

  CORS(app, resources={r"/*": {"origins": r".*\.mydomain.com"}})
...

3. manage.py (containing my main process)

from app.main import create_app
from app import BLUEPRINT
...

APP = create_app(os.getenv("APP_ENV", "dev"))
APP.register_blueprint(BLUEPRINT)
APP.app_context().push()
...

if __name__ == "__main__":
  APP.run(host="0.0.0.0", port=80)

This approach is working to initialize my app, but my API is allowing all request from all domains instead of allowing requests only from something.my-domain.com, as configured.

Someone already had this problem?

Gerdson Silva
  • 21
  • 3

2 Answers2

0

I don't think you're initializing the extension correctly with the App Factory pattern.

https://github.com/corydolphin/flask-cors/blob/master/flask_cors/extension.py#L131

Within app/main/__init__.py., try:

...

cors = CORS()


def create_app()
    app = Flask(__name__)

    cors.init_app(app, resources={r"/*": {"origins": r".*\.mydomain.com"}})
...

Full example: https://gitlab.com/testdriven/flask-react-auth/blob/master/services/users/project/init.py

Michael
  • 1,177
  • 4
  • 20
  • 71
0

Use this:

cors.init_app(app, resources={r"*": {"origins": "*"}})
mamadshr
  • 81
  • 1
  • 2
  • While this code may answer the question, providing additional context regarding why and/or how this code answers the question improves its long-term value. – n1colas.m Apr 29 '21 at 21:42