Support for CORS

2025-12-14 20:43:41 +01:00 · 2015-01-18 10:23:49 +02:00 · 2015-01-18 10:23:49 +02:00 · 9fe2bc1a38
commit 9fe2bc1a38
parent 6f2d9845b5
2 changed files with 71 additions and 0 deletions
--- a/beetsplug/web/init.py
+++ b/beetsplug/web/init.py
@ -22,6 +22,7 @@ from flask import g
 from werkzeug.routing import BaseConverter, PathConverter
 import os
 import json
+from crossdomaindec import crossdomain


 # Utilities.
@ -164,6 +165,7 @@ def before_request():
 # Items.

@app.route('/item/<idlist:ids>')
+@crossdomain(origin='*')
@resource('items')
 def get_item(id):
    return g.lib.get_item(id)
@ -171,12 +173,14 @@ def get_item(id):

@app.route('/item/')
@app.route('/item/query/')
+@crossdomain(origin='*')
@resource_list('items')
 def all_items():
    return g.lib.items()


@app.route('/item/<int:item_id>/file')
+@crossdomain(origin='*')
 def item_file(item_id):
    item = g.lib.get_item(item_id)
    response = flask.send_file(item.path, as_attachment=True,
@ -186,6 +190,7 @@ def item_file(item_id):


@app.route('/item/query/<query:queries>')
+@crossdomain(origin='*')
@resource_query('items')
 def item_query(queries):
    return g.lib.items(queries)
@ -194,6 +199,7 @@ def item_query(queries):
 # Albums.

@app.route('/album/<idlist:ids>')
+@crossdomain(origin='*')
@resource('albums')
 def get_album(id):
    return g.lib.get_album(id)
@ -201,18 +207,21 @@ def get_album(id):

@app.route('/album/')
@app.route('/album/query/')
+@crossdomain(origin='*')
@resource_list('albums')
 def all_albums():
    return g.lib.albums()


@app.route('/album/query/<query:queries>')
+@crossdomain(origin='*')
@resource_query('albums')
 def album_query(queries):
    return g.lib.albums(queries)


@app.route('/album/<int:album_id>/art')
+@crossdomain(origin='*')
 def album_art(album_id):
    album = g.lib.get_album(album_id)
    return flask.send_file(album.artpath)
@ -221,6 +230,7 @@ def album_art(album_id):
 # Artists.

@app.route('/artist/')
+@crossdomain(origin='*')
 def all_artists():
    with g.lib.transaction() as tx:
        rows = tx.query("SELECT DISTINCT albumartist FROM albums")
@ -231,6 +241,7 @@ def all_artists():
 # Library information.

@app.route('/stats')
+@crossdomain(origin='*')
 def stats():
    with g.lib.transaction() as tx:
        item_rows = tx.query("SELECT COUNT(*) FROM items")
--- a/beetsplug/web/crossdomaindec.py
+++ b/beetsplug/web/crossdomaindec.py
@ -0,0 +1,60 @@
+# Decorator for the HTTP Access Control
+# By Armin Ronacher
+# http://flask.pocoo.org/snippets/56/
+#
+# Cross-site HTTP requests are HTTP requests for resources from a different
+# domain than the domain of the resource making the request.
+# For instance, a resource loaded from Domain A makes a request for a resource
+# on Domain B. The way this is implemented in modern browsers is by using
+# HTTP Access Control headers
+#
+# https://developer.mozilla.org/en/HTTP_access_control
+#
+# The following view decorator implements this
+#
+
+from datetime import timedelta
+from flask import make_response, request, current_app
+from functools import update_wrapper
+
+
+def crossdomain(origin=None, methods=None, headers=None,
+                max_age=21600, attach_to_all=True,
+                automatic_options=True):
+    if methods is not None:
+        methods = ', '.join(sorted(x.upper() for x in methods))
+    if headers is not None and not isinstance(headers, basestring):
+        headers = ', '.join(x.upper() for x in headers)
+    if not isinstance(origin, basestring):
+        origin = ', '.join(origin)
+    if isinstance(max_age, timedelta):
+        max_age = max_age.total_seconds()
+
+    def get_methods():
+        if methods is not None:
+            return methods
+
+        options_resp = current_app.make_default_options_response()
+        return options_resp.headers['allow']
+
+    def decorator(f):
+        def wrapped_function(*args, **kwargs):
+            if automatic_options and request.method == 'OPTIONS':
+                resp = current_app.make_default_options_response()
+            else:
+                resp = make_response(f(*args, **kwargs))
+            if not attach_to_all and request.method != 'OPTIONS':
+                return resp
+
+            h = resp.headers
+
+            h['Access-Control-Allow-Origin'] = origin
+            h['Access-Control-Allow-Methods'] = get_methods()
+            h['Access-Control-Max-Age'] = str(max_age)
+            if headers is not None:
+                h['Access-Control-Allow-Headers'] = headers
+            return resp
+
+        f.provide_automatic_options = False
+        return update_wrapper(wrapped_function, f)
+    return decorator