[PROD] Add Client-Id to allowed CORS headers (#518)

docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   elasticsearch7:
     image: docker.elastic.co/elasticsearch/elasticsearch:7.10.1

rorapi/settings.py

@@ -18,6 +18,7 @@
 from dotenv import load_dotenv
 from elasticsearch import Elasticsearch, RequestsHttpConnection
 from requests_aws4auth import AWS4Auth
+from corsheaders.defaults import default_headers
 from sentry_sdk.integrations.django import DjangoIntegration
 
 sentry_sdk.init(dsn=os.environ.get('SENTRY_DSN', None),
@@ -144,6 +145,7 @@
 USE_TZ = True
 
 CORS_ORIGIN_ALLOW_ALL = True
+CORS_ALLOW_HEADERS = list(default_headers) + ['Client-Id']
 
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/2.2/howto/static-files/

rorapi/tests/tests_unit/tests_cors.py

@@ -0,0 +1,18 @@
+from django.test import TestCase
+
+
+class CORSClientIdTestCase(TestCase):
+    """Test that CORS preflight allows the Client-Id header."""
+
+    def test_preflight_allows_client_id_header(self):
+        response = self.client.options(
+            '/v2/organizations/02feahw73',
+            HTTP_ORIGIN='http://localhost:5173',
+            HTTP_ACCESS_CONTROL_REQUEST_METHOD='GET',
+            HTTP_ACCESS_CONTROL_REQUEST_HEADERS='Client-Id',
+        )
+        self.assertIn(response.status_code, (200, 204))
+        allow_headers = response.get('Access-Control-Allow-Headers')
+        self.assertIsNotNone(allow_headers)
+        allowed = [h.strip().lower() for h in allow_headers.split(',')]
+        self.assertIn('client-id', allowed)