From 4d9cf15c45e90310cafd624740b48cf5a6b4c11a Mon Sep 17 00:00:00 2001 From: Paul Bottein Date: Sat, 9 Mar 2019 19:00:10 +0100 Subject: [PATCH] Fix authorization header in cors (#21662) * Fix authorization headers in cors * Use aiohttp authorization header instead of custom const --- homeassistant/components/http/cors.py | 4 ++-- tests/components/http/test_cors.py | 14 +++++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/homeassistant/components/http/cors.py b/homeassistant/components/http/cors.py index 6da3b0e51d7..1ef70b5e022 100644 --- a/homeassistant/components/http/cors.py +++ b/homeassistant/components/http/cors.py @@ -1,5 +1,5 @@ """Provide CORS support for the HTTP component.""" -from aiohttp.hdrs import ACCEPT, CONTENT_TYPE, ORIGIN +from aiohttp.hdrs import ACCEPT, CONTENT_TYPE, ORIGIN, AUTHORIZATION from homeassistant.const import ( HTTP_HEADER_HA_AUTH, HTTP_HEADER_X_REQUESTED_WITH) @@ -7,7 +7,7 @@ from homeassistant.core import callback ALLOWED_CORS_HEADERS = [ ORIGIN, ACCEPT, HTTP_HEADER_X_REQUESTED_WITH, CONTENT_TYPE, - HTTP_HEADER_HA_AUTH] + HTTP_HEADER_HA_AUTH, AUTHORIZATION] @callback diff --git a/tests/components/http/test_cors.py b/tests/components/http/test_cors.py index c95146d5cca..e17fb105efe 100644 --- a/tests/components/http/test_cors.py +++ b/tests/components/http/test_cors.py @@ -7,11 +7,14 @@ from aiohttp.hdrs import ( ACCESS_CONTROL_ALLOW_HEADERS, ACCESS_CONTROL_REQUEST_HEADERS, ACCESS_CONTROL_REQUEST_METHOD, + AUTHORIZATION, ORIGIN ) import pytest -from homeassistant.const import HTTP_HEADER_HA_AUTH +from homeassistant.const import ( + HTTP_HEADER_HA_AUTH +) from homeassistant.setup import async_setup_component from homeassistant.components.http.cors import setup_cors from homeassistant.components.http.view import HomeAssistantView @@ -84,6 +87,15 @@ async def test_cors_requests(client): assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \ TRUSTED_ORIGIN + # With auth token in headers + req = await client.get('/', headers={ + AUTHORIZATION: 'Bearer some-token', + ORIGIN: TRUSTED_ORIGIN + }) + assert req.status == 200 + assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \ + TRUSTED_ORIGIN + async def test_cors_preflight_allowed(client): """Test cross origin resource sharing preflight (OPTIONS) request."""