Skip to content

Commit

Permalink
Fix CSRF & CORS problems (#1477)
Browse files Browse the repository at this point in the history
* Fix CSRF problem

* Improved configuration

* Update csrf config

* Comment CSRF configuration

* Include CORS configuration

* Fix settings configuration
  • Loading branch information
Tansito authored Sep 3, 2024
1 parent 24b36c0 commit 731d429
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,12 @@ spec:
key: {{ .Values.secrets.servicePsql.key.databasePassword }}
- name: PUBLIC_GROUP_NAME
value: {{ .Values.application.publicGroupName }}
- name: ALLOWED_HOSTS
value: {{ .Values.application.allowedHosts | quote }}
- name: CSRF_TRUSTED_ORIGINS
value: {{ .Values.application.trustedOrigins | quote }}
- name: CORS_ALLOWED_ORIGIN_REGEXES
value: {{ .Values.application.corsOrigins | quote }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
3 changes: 3 additions & 0 deletions charts/qiskit-serverless/charts/gateway/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ application:
iqpQcon:
url: "https://api-qcon.quantum.ibm.com/api"
publicGroupName: "ibm-q/open/main"
allowedHosts: "*"
trustedOrigins: "http://localhost"
corsOrigins: "http://localhost"

cos:
claimName: gateway-claim
Expand Down
14 changes: 14 additions & 0 deletions gateway/main/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,20 @@
# SECURITY WARNING: don't run with debug turned on in production!
LOG_LEVEL = "DEBUG" if int(os.environ.get("DEBUG", 1)) else "INFO"

# It must be a full url without protocol: mydomain.com
ALLOWED_HOSTS = os.environ.get("ALLOWED_HOSTS", "*").split(",")

# It must be a full url: https://mydomain.com
CSRF_TRUSTED_ORIGINS = os.environ.get("CSRF_TRUSTED_ORIGINS", "http://localhost").split(
","
)

# It must be a regex compatible: ^https://\w+\.example\.com$
CORS_ALLOWED_ORIGIN_REGEXES = os.environ.get(
"CORS_ALLOWED_ORIGIN_REGEXES", "http://localhost"
).split(",")
CORS_ALLOWED_ORIGIN_REGEXES = [rf"{pattern}" for pattern in CORS_ALLOWED_ORIGIN_REGEXES]

# allow connections from any kubernetes pod within the cluster
# k8s pods are given an IP on the private 10. network, and 10.0.0.0/8
# includes all 10. IPs.
Expand All @@ -64,9 +76,11 @@
"api",
"psycopg2",
"drf_yasg",
"corsheaders",
]

MIDDLEWARE = [
"corsheaders.middleware.CorsMiddleware",
"csp.middleware.CSPMiddleware",
"allow_cidr.middleware.AllowCIDRMiddleware",
"django_prometheus.middleware.PrometheusBeforeMiddleware",
Expand Down
1 change: 1 addition & 0 deletions gateway/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,4 @@ drf-yasg>=1.21.7, <2
sqlparse>=0.5.0, <1
qiskit-ibm-runtime>=0.27.0
tzdata>=2024.1
django-cors-headers>=4.4.0, <5

0 comments on commit 731d429

Please sign in to comment.