From 8f9549fbffc12e447a2ebeea3cab7a6372f81875 Mon Sep 17 00:00:00 2001 From: jrhoads Date: Tue, 10 Feb 2026 10:47:08 +0100 Subject: [PATCH 1/2] refactor: remove version field from docker-compose.yml --- docker-compose.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 698ea39..55bc82c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3' - services: elasticsearch7: image: docker.elastic.co/elasticsearch/elasticsearch:7.10.1 From 319675226c20a9b172023e368d016350170396c1 Mon Sep 17 00:00:00 2001 From: jrhoads Date: Tue, 10 Feb 2026 10:47:56 +0100 Subject: [PATCH 2/2] feat: allow Client-Id header in CORS and add unit test --- rorapi/settings.py | 2 ++ rorapi/tests/tests_unit/tests_cors.py | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 rorapi/tests/tests_unit/tests_cors.py diff --git a/rorapi/settings.py b/rorapi/settings.py index b0ade37..db643c8 100644 --- a/rorapi/settings.py +++ b/rorapi/settings.py @@ -18,6 +18,7 @@ from dotenv import load_dotenv from elasticsearch import Elasticsearch, RequestsHttpConnection from requests_aws4auth import AWS4Auth +from corsheaders.defaults import default_headers from sentry_sdk.integrations.django import DjangoIntegration sentry_sdk.init(dsn=os.environ.get('SENTRY_DSN', None), @@ -144,6 +145,7 @@ USE_TZ = True CORS_ORIGIN_ALLOW_ALL = True +CORS_ALLOW_HEADERS = list(default_headers) + ['Client-Id'] # Static files (CSS, JavaScript, Images) # https://docs.djangoproject.com/en/2.2/howto/static-files/ diff --git a/rorapi/tests/tests_unit/tests_cors.py b/rorapi/tests/tests_unit/tests_cors.py new file mode 100644 index 0000000..5140e5e --- /dev/null +++ b/rorapi/tests/tests_unit/tests_cors.py @@ -0,0 +1,18 @@ +from django.test import TestCase + + +class CORSClientIdTestCase(TestCase): + """Test that CORS preflight allows the Client-Id header.""" + + def test_preflight_allows_client_id_header(self): + response = self.client.options( + '/v2/organizations/02feahw73', + HTTP_ORIGIN='http://localhost:5173', + HTTP_ACCESS_CONTROL_REQUEST_METHOD='GET', + HTTP_ACCESS_CONTROL_REQUEST_HEADERS='Client-Id', + ) + self.assertIn(response.status_code, (200, 204)) + allow_headers = response.get('Access-Control-Allow-Headers') + self.assertIsNotNone(allow_headers) + allowed = [h.strip().lower() for h in allow_headers.split(',')] + self.assertIn('client-id', allowed)