Allow at-runtime origin validation - or some tips on usage?

[estein-de]

In the documentation at http://flask-cors.corydolphin.com/en/latest/api.html#decorator there is no way to make it so that the allowed origins are determined other than at the time the decorator function is applied (which would be, in most situations, the moment when the module is imported).

I want to set my allowed origins in my flask config, but flask config is only accessible once current_app is accessible... and my controllers get imported before current_app is accessible. Currently I'm working around this by applying the decorator later using lazy evaluation but I would really rather not do that. Can you suggest something?

Am I missing a really obvious way to do this?

[corydolphin]

The alternate approach is to use the http://flask-cors.corydolphin.com/en/latest/api.html#extension approach, storing the origins in the app's flask config.

Does that make sense?

[estein-de]

I see what you mean, but I don't actually store the exact origins in my config, I have code that uses my config to generate the origins. Sorry, that wasn't clear.

[estein-de]

It would be even better to be able to just provide a callable that would validate Origins, but from what I saw on other issues on this repo I wouldn't be surprised if that's not a simple ask.

[corydolphin]

Ahh, I understand. Can you describe the use case a little more? I'm totally open to adding it, and it should actually be relatively simple.

I think those other issues are red herrings 🍻

[estein-de]

Sorry for ghosting you for 6 years @corydolphin - we might have a PR for you soon on this actually. The gist was that we need to use a database driven approach for managing the allow-list for a CORS system and making a callback driven Origin validator is the way we thought was appropriate to do this. The reason for this is that the data may change while apps are up and Flask apps are generally meant to work such that the config is loaded once at app startup - and it's not good form to make app startup depend upon your database. A bit of a catch-22. Will let you know if we have patches to propose.