From d4b64d630ab5257e3925e9a399ce0cbce892d64d Mon Sep 17 00:00:00 2001 From: Vishesh 'ironeagle' Bangotra Date: Tue, 16 Jun 2026 17:50:36 +0530 Subject: [PATCH] cors fixes --- openapi_first/templates/crud_app/main.py | 11 ----- .../templates/crud_app/test_crud_app.py | 11 ----- openapi_first/templates/health_app/main.py | 11 ----- openapi_first/templates/model_app/main.py | 11 ----- .../templates/model_app/test_model_app.py | 11 ----- openapi_first/templates/vet_app/main.py | 14 +----- .../templates/vet_app/test_vet_app.py | 43 ++++++++----------- pyproject.toml | 3 -- 8 files changed, 18 insertions(+), 97 deletions(-) diff --git a/openapi_first/templates/crud_app/main.py b/openapi_first/templates/crud_app/main.py index 497989c..f07cc9c 100644 --- a/openapi_first/templates/crud_app/main.py +++ b/openapi_first/templates/crud_app/main.py @@ -26,7 +26,6 @@ Example: """ from openapi_first.app import OpenAPIFirstApp -from starlette_csrf import CSRFMiddleware import routes app = OpenAPIFirstApp( @@ -34,13 +33,3 @@ app = OpenAPIFirstApp( routes_module=routes, title="CRUD Example Service", ) - -app.add_middleware( - CSRFMiddleware, - secret="change-me-in-production", - cookie_name="csrftoken", - header_name="x-csrftoken", - cookie_secure=False, - cookie_httponly=False, - cookie_samesite="lax", -) diff --git a/openapi_first/templates/crud_app/test_crud_app.py b/openapi_first/templates/crud_app/test_crud_app.py index 4c38a23..daaca9f 100644 --- a/openapi_first/templates/crud_app/test_crud_app.py +++ b/openapi_first/templates/crud_app/test_crud_app.py @@ -34,14 +34,6 @@ client = OpenAPIClient( client=client, ) -# Bootstrap CSRF token via a safe GET request -_ = client.list_items() -_CSRF_TOKEN = client.client.cookies.get("csrftoken") - - -def _csrf_headers() -> dict: - return {"X-CSRFToken": _CSRF_TOKEN} if _CSRF_TOKEN else {} - def test_list_items_initial(): """Initial items should be present.""" @@ -79,7 +71,6 @@ def test_create_item(): response = client.create_item( body=payload, - headers=_csrf_headers(), ) assert response.status_code == 201 @@ -104,7 +95,6 @@ def test_update_item(): response = client.update_item( path_params={"item_id": 1}, body=payload, - headers=_csrf_headers(), ) assert response.status_code == 200 @@ -126,7 +116,6 @@ def test_delete_item(): """Deleting an item should remove it from the store.""" response = client.delete_item( path_params={"item_id": 2}, - headers=_csrf_headers(), ) assert response.status_code == 204 diff --git a/openapi_first/templates/health_app/main.py b/openapi_first/templates/health_app/main.py index 66a8e83..af92485 100644 --- a/openapi_first/templates/health_app/main.py +++ b/openapi_first/templates/health_app/main.py @@ -27,7 +27,6 @@ Example: from openapi_first.app import OpenAPIFirstApp -from starlette_csrf import CSRFMiddleware import routes app = OpenAPIFirstApp( @@ -35,13 +34,3 @@ app = OpenAPIFirstApp( routes_module=routes, title="Health Check Service", ) - -app.add_middleware( - CSRFMiddleware, - secret="change-me-in-production", - cookie_name="csrftoken", - header_name="x-csrftoken", - cookie_secure=False, - cookie_httponly=False, - cookie_samesite="lax", -) diff --git a/openapi_first/templates/model_app/main.py b/openapi_first/templates/model_app/main.py index d0468da..2cf86ca 100644 --- a/openapi_first/templates/model_app/main.py +++ b/openapi_first/templates/model_app/main.py @@ -26,7 +26,6 @@ Example: """ from openapi_first.app import OpenAPIFirstApp -from starlette_csrf import CSRFMiddleware import routes app = OpenAPIFirstApp( @@ -34,13 +33,3 @@ app = OpenAPIFirstApp( routes_module=routes, title="Model CRUD Example Service", ) - -app.add_middleware( - CSRFMiddleware, - secret="change-me-in-production", - cookie_name="csrftoken", - header_name="x-csrftoken", - cookie_secure=False, - cookie_httponly=False, - cookie_samesite="lax", -) diff --git a/openapi_first/templates/model_app/test_model_app.py b/openapi_first/templates/model_app/test_model_app.py index b5299b9..892359b 100644 --- a/openapi_first/templates/model_app/test_model_app.py +++ b/openapi_first/templates/model_app/test_model_app.py @@ -33,14 +33,6 @@ client = OpenAPIClient( client=client, ) -# Bootstrap CSRF token via a safe GET request -_ = client.list_items() -_CSRF_TOKEN = client.client.cookies.get("csrftoken") - - -def _csrf_headers() -> dict: - return {"X-CSRFToken": _CSRF_TOKEN} if _CSRF_TOKEN else {} - def test_list_items_initial(): """Initial items should be present.""" @@ -78,7 +70,6 @@ def test_create_item(): response = client.create_item( body=payload, - headers=_csrf_headers(), ) assert response.status_code == 201 @@ -103,7 +94,6 @@ def test_update_item(): response = client.update_item( path_params={"item_id": 1}, body=payload, - headers=_csrf_headers(), ) assert response.status_code == 200 @@ -125,7 +115,6 @@ def test_delete_item(): """Deleting an item should remove it from the store.""" response = client.delete_item( path_params={"item_id": 2}, - headers=_csrf_headers(), ) assert response.status_code == 204 diff --git a/openapi_first/templates/vet_app/main.py b/openapi_first/templates/vet_app/main.py index d60137c..67f55fa 100644 --- a/openapi_first/templates/vet_app/main.py +++ b/openapi_first/templates/vet_app/main.py @@ -28,7 +28,6 @@ Example: from starlette.middleware.cors import CORSMiddleware from openapi_first.app import OpenAPIFirstApp -from starlette_csrf import CSRFMiddleware import routes app = OpenAPIFirstApp( @@ -37,20 +36,9 @@ app = OpenAPIFirstApp( title="Veterinary Clinic Service", ) -app.add_middleware( - CSRFMiddleware, - secret="change-me-in-production", - cookie_name="csrftoken", - header_name="x-csrftoken", - cookie_secure=False, - cookie_httponly=False, - cookie_samesite="none", -) - app.add_middleware( CORSMiddleware, - allow_origins=["*"], - allow_credentials=True, + allow_origins=["http://localhost:5173"], allow_methods=["*"], allow_headers=["*"], ) diff --git a/openapi_first/templates/vet_app/test_vet_app.py b/openapi_first/templates/vet_app/test_vet_app.py index 77c4dba..d6bdbf8 100644 --- a/openapi_first/templates/vet_app/test_vet_app.py +++ b/openapi_first/templates/vet_app/test_vet_app.py @@ -20,14 +20,6 @@ client = OpenAPIClient( client=test_client, ) -# Bootstrap CSRF token via a safe GET request -_ = client.list_parents(query={"limit": 1}) -_CSRF_TOKEN = client.client.cookies.get("csrftoken") - - -def _csrf_headers() -> dict: - return {"X-CSRFToken": _CSRF_TOKEN} if _CSRF_TOKEN else {} - def test_list_parents(): """List parents returns paginated response.""" @@ -41,7 +33,7 @@ def test_list_parents(): def test_create_parent(): """Creating a parent returns 201 with the created entity.""" payload = {"name": "Alice", "email": "alice@example.com"} - response = client.create_parent(body=payload, headers=_csrf_headers()) + response = client.create_parent(body=payload) assert response.status_code == 201 parent = response.json() assert parent["name"] == "Alice" @@ -50,7 +42,7 @@ def test_create_parent(): def test_get_parent(): """Get parent by ID returns the entity.""" - parent = client.create_parent(body={"name": "Bob", "email": "bob@example.com"}, headers=_csrf_headers()).json() + parent = client.create_parent(body={"name": "Bob", "email": "bob@example.com"}).json() response = client.get_parent(path_params={"id": parent["id"]}) assert response.status_code == 200 assert response.json()["name"] == "Bob" @@ -58,17 +50,17 @@ def test_get_parent(): def test_update_parent(): """Update parent replaces its values.""" - parent = client.create_parent(body={"name": "Carol", "email": "carol@example.com"}, headers=_csrf_headers()).json() + parent = client.create_parent(body={"name": "Carol", "email": "carol@example.com"}).json() payload = {"name": "Carol Smith", "email": "carol.smith@example.com"} - response = client.update_parent(path_params={"id": parent["id"]}, body=payload, headers=_csrf_headers()) + response = client.update_parent(path_params={"id": parent["id"]}, body=payload) assert response.status_code == 200 assert response.json()["name"] == "Carol Smith" def test_delete_parent(): """Delete parent returns 204 and removes the entity.""" - parent = client.create_parent(body={"name": "Dave", "email": "dave@example.com"}, headers=_csrf_headers()).json() - response = client.delete_parent(path_params={"id": parent["id"]}, headers=_csrf_headers()) + parent = client.create_parent(body={"name": "Dave", "email": "dave@example.com"}).json() + response = client.delete_parent(path_params={"id": parent["id"]}) assert response.status_code == 204 @@ -84,7 +76,7 @@ def test_list_vets(): def test_create_vet(): """Creating a vet returns 201.""" payload = {"name": "Dr. Smith", "specialty": "Surgery", "email": "smith@clinic.com"} - response = client.create_vet(body=payload, headers=_csrf_headers()) + response = client.create_vet(body=payload) assert response.status_code == 201 assert response.json()["name"] == "Dr. Smith" @@ -99,27 +91,26 @@ def test_list_treatments(): def test_create_treatment(): """Creating a treatment returns 201.""" payload = {"label": "Vaccination", "description": "Annual vaccination"} - response = client.create_treatment(body=payload, headers=_csrf_headers()) + response = client.create_treatment(body=payload) assert response.status_code == 201 assert response.json()["label"] == "Vaccination" def test_create_pet(): """Creating a pet links FK references.""" - parent = client.create_parent(body={"name": "Owner", "email": "owner@example.com"}, headers=_csrf_headers()).json() + parent = client.create_parent(body={"name": "Owner", "email": "owner@example.com"}).json() payload = {"name": "Fido", "species": "dog", "parent_ids": [parent["id"]]} - response = client.create_pet(body=payload, headers=_csrf_headers()) + response = client.create_pet(body=payload) assert response.status_code == 201 assert response.json()["name"] == "Fido" def test_upload_pet_photo(): """Upload pet photo returns 200.""" - pet = client.create_pet(body={"name": "PhotoPet", "species": "cat", "parent_ids": []}, headers=_csrf_headers()).json() + pet = client.create_pet(body={"name": "PhotoPet", "species": "cat", "parent_ids": []}).json() response = client.client.post( f"http://testserver/pets/{pet['id']}", files={"file": ("test.jpg", b"fake-image-data", "image/jpeg")}, - headers=_csrf_headers(), ) assert response.status_code == 200 @@ -135,10 +126,10 @@ def test_list_appointments(): def test_full_appointment_lifecycle(): """Create a parent, vet, treatment, pet, then an appointment.""" - parent = client.create_parent(body={"name": "Eve", "email": "eve@example.com"}, headers=_csrf_headers()).json() - vet = client.create_vet(body={"name": "Dr. Jones", "specialty": "Dentistry", "email": "jones@clinic.com"}, headers=_csrf_headers()).json() - treatment = client.create_treatment(body={"label": "Cleaning", "description": "Teeth cleaning"}, headers=_csrf_headers()).json() - pet = client.create_pet(body={"name": "Max", "species": "dog", "parent_ids": [parent["id"]]}, headers=_csrf_headers()).json() + parent = client.create_parent(body={"name": "Eve", "email": "eve@example.com"}).json() + vet = client.create_vet(body={"name": "Dr. Jones", "specialty": "Dentistry", "email": "jones@clinic.com"}).json() + treatment = client.create_treatment(body={"label": "Cleaning", "description": "Teeth cleaning"}).json() + pet = client.create_pet(body={"name": "Max", "species": "dog", "parent_ids": [parent["id"]]}).json() payload = { "date": "2025-06-01T10:00:00", @@ -146,7 +137,7 @@ def test_full_appointment_lifecycle(): "vet_id": vet["id"], "treatment_id": treatment["id"], } - response = client.create_appointment(body=payload, headers=_csrf_headers()) + response = client.create_appointment(body=payload) assert response.status_code == 201 appointment = response.json() assert appointment["pet_id"] == pet["id"] @@ -156,5 +147,5 @@ def test_full_appointment_lifecycle(): assert get_resp.status_code == 200 # Delete it - del_resp = client.delete_appointment(path_params={"id": appointment["id"]}, headers=_csrf_headers()) + del_resp = client.delete_appointment(path_params={"id": appointment["id"]}) assert del_resp.status_code == 204 diff --git a/pyproject.toml b/pyproject.toml index fbcb5d6..8c8b9cc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -55,9 +55,6 @@ dependencies = [ # Code generation "datamodel-code-generator>=0.25.0", - - # CSRF protection (scaffolded apps) - "starlette-csrf>=3.0.0", ] [project.scripts]