From e230919acc01ca7b83e9adbca1fd5adfaace7304 Mon Sep 17 00:00:00 2001
From: Ken Lippold <klippold@Kens-MacBook-Pro-2.local>
Date: Thu, 3 Oct 2024 11:08:20 -0700
Subject: [PATCH] Enable CORS for API routes.

---
 hydroserver/settings.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/hydroserver/settings.py b/hydroserver/settings.py
index 80b9888..bbf36e0 100644
--- a/hydroserver/settings.py
+++ b/hydroserver/settings.py
@@ -23,22 +23,28 @@
 DEPLOYMENT_BACKEND = config('DEPLOYMENT_BACKEND', default='local')
 DISABLE_ACCOUNT_CREATION = config('DISABLE_ACCOUNT_CREATION', default=False, cast=bool)
 
+# CORS Settings
+
+CORS_ORIGIN_ALLOW_ALL = True
+CORS_URLS_REGEX = r'^/api/.*$'
+CORS_ALLOW_HEADERS = list(default_headers)
+
+# Deployment Settings
+
 if DEPLOYMENT_BACKEND == 'aws':
     hostname = socket.gethostname()
     local_ip = socket.gethostbyname(hostname)  # This is necessary for AWS ELB Health Checks to pass.
     PROXY_BASE_URL = config('PROXY_BASE_URL')
     ALLOWED_HOSTS = config('ALLOWED_HOSTS', default=PROXY_BASE_URL).split(',') + [local_ip]
-    CSRF_TRUSTED_ORIGINS = [PROXY_BASE_URL]
-    CORS_ALLOW_HEADERS = list(default_headers) + ['Refresh_Authorization']
+    CORS_ALLOW_HEADERS += ['Refresh_Authorization']
 elif DEPLOYMENT_BACKEND == 'vm':
     PROXY_BASE_URL = config('PROXY_BASE_URL')
     ALLOWED_HOSTS = config('ALLOWED_HOSTS', default=PROXY_BASE_URL).split(',')
-    CSRF_TRUSTED_ORIGINS = [PROXY_BASE_URL]
 else:
     PROXY_BASE_URL = config('PROXY_BASE_URL', 'http://127.0.0.1:3030')
     ALLOWED_HOSTS = ['127.0.0.1', 'localhost']
-    CSRF_TRUSTED_ORIGINS = [PROXY_BASE_URL]
-    CORS_ORIGIN_ALLOW_ALL = True  # Warning: Do not use this setting in production.
+
+CSRF_TRUSTED_ORIGINS = [PROXY_BASE_URL]
 
 LOGIN_REDIRECT_URL = 'sites'
 LOGOUT_REDIRECT_URL = 'home'