nucliadb-utils 2.44.2.post353__py3-none-any.whl → 2.44.2.post354__py3-none-any.whl

nucliadb_utils/const.py

@@ -78,3 +78,4 @@ class Features:
     VERSIONED_PRIVATE_PREDICT = "nucliadb_versioned_private_predict"
     BACK_PRESSURE = "nucliadb_back_pressure"
     REBALANCE_KB = "nucliadb_rebalance_kb"
+    CORS_MIDDLEWARE = "nucliadb_cors_middleware_enabled"

nucliadb_utils/featureflagging.py

@@ -61,6 +61,10 @@ DEFAULT_FLAG_DATA: dict[str, Any] = {
         "rollout": 0,
         "variants": {"environment": ["local"]},
     },
+    const.Features.CORS_MIDDLEWARE: {
+        "rollout": 0,
+        "variants": {"environment": ["local"]},
+    },
 }
 
 

{nucliadb_utils-2.44.2.post353.dist-info → nucliadb_utils-2.44.2.post354.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: nucliadb-utils
-Version: 2.44.2.post353
+Version: 2.44.2.post354
 Home-page: https://nuclia.com
 License: BSD
 Classifier: Development Status :: 4 - Beta
@@ -21,8 +21,8 @@ Requires-Dist: nats-py[nkeys] >=2.6.0
 Requires-Dist: pyjwt >=2.4.0
 Requires-Dist: memorylru >=1.1.2
 Requires-Dist: mrflagly
-Requires-Dist: nucliadb-protos >=2.44.2.post353
-Requires-Dist: nucliadb-telemetry >=2.44.2.post353
+Requires-Dist: nucliadb-protos >=2.44.2.post354
+Requires-Dist: nucliadb-telemetry >=2.44.2.post354
 Provides-Extra: cache
 Requires-Dist: redis >=4.3.4 ; extra == 'cache'
 Requires-Dist: orjson >=3.6.7 ; extra == 'cache'

{nucliadb_utils-2.44.2.post353.dist-info → nucliadb_utils-2.44.2.post354.dist-info}/RECORD

@@ -1,11 +1,10 @@
 nucliadb_utils/__init__.py,sha256=EvBCH1iTODe-AgXm48aj4kVUt_Std3PeL8QnwimR5wI,895
 nucliadb_utils/asyncio_utils.py,sha256=i4u0NP32zx0GWB7L5bc5eSWc-zGIxDMP7rQZhoYxRxo,2794
 nucliadb_utils/authentication.py,sha256=HTj6kFFrfdN4-DW_MNqldAPqNPdPwGHnSWl-SigiMvk,6071
-nucliadb_utils/const.py,sha256=FYACRPdKhjcNgWt5tCMpjnEYQq_4ZYbxrEAmIPIFpME,2355
-nucliadb_utils/cors.py,sha256=s4PQZ5rZOOYxiHA2oBi8LKfmuHhZTwlZiyEfWM3c5ag,8406
+nucliadb_utils/const.py,sha256=yd7We31W7-B7zI-Wt2x5QDTXb78gBNeNXpoyK1IOKb0,2412
 nucliadb_utils/debug.py,sha256=saSfh_CDQoQl-35KCyqef5hdB_OVdrIEnlmWnZU18vg,2470
 nucliadb_utils/exceptions.py,sha256=y_3wk77WLVUtdo-5FtbBsdSkCtK_DsJkdWb5BoPn3qo,1094
-nucliadb_utils/featureflagging.py,sha256=hc7sestzm9_usfZN6_CF7RSs4UOx3CufrQ93ZxnIb3c,2711
+nucliadb_utils/featureflagging.py,sha256=Rxr999pbYCA5QTzyubxUft2MSA4Tlc_gTYd35YDIBkQ,2826
 nucliadb_utils/grpc.py,sha256=USXwPRuCJiSyLf0JW4isIKZne6od8gM_GGLWaHHjknk,3336
 nucliadb_utils/helpers.py,sha256=fOL6eImdvKO3NV39ymmo2UOCT-GAK1dfXKoMKdzdmFo,1599
 nucliadb_utils/indexing.py,sha256=ELJ9bTnrxcb6tmO77HzzO1SDLPmKXTc_nBiLnJocz5I,3462
@@ -52,7 +51,6 @@ nucliadb_utils/tests/s3.py,sha256=YB8QqDaBXxyhHonEHmeBbRRDmvB7sTOaKBSi8KBGokg,23
 nucliadb_utils/tests/unit/__init__.py,sha256=itSI7dtTwFP55YMX4iK7JzdMHS5CQVUiB1XzQu4UBh8,833
 nucliadb_utils/tests/unit/test_asyncio_utils.py,sha256=Dfs-lEa6ZGp6m-dOmhtB8PGuQQ9CUOfVbX-YvUEfdrc,2339
 nucliadb_utils/tests/unit/test_authentication.py,sha256=clxj4mmmUnHbUh9dvvtoA2XNruZSxRPEXD68MXXzgzU,5361
-nucliadb_utils/tests/unit/test_cors.py,sha256=7Gifju-MXjO0x_MtfB_STd2nVhr3jdsl4kntgpTW6-8,22062
 nucliadb_utils/tests/unit/test_helpers.py,sha256=w0Yxo1NteBZi_iSRVZ3vv4J-o3Z7SJIz1q6yyXGzQLg,1574
 nucliadb_utils/tests/unit/test_nats.py,sha256=4lLQOucQGwL9lubTfNFqXhXtua9u4lTlWjF_lFCYORc,4436
 nucliadb_utils/tests/unit/test_run.py,sha256=VHeojVBj_AfV_uNch9eEi4zCT-O94VKjwb_O-UZgqpA,1910
@@ -65,8 +63,8 @@ nucliadb_utils/tests/unit/storages/test_aws.py,sha256=GCsB_jwCUNV3Ogt8TZZEmNKAHv
 nucliadb_utils/tests/unit/storages/test_gcs.py,sha256=2XzJwgNpfjVGjtE-QdZhu3ayuT1EMEXINdM-_SatPCY,3554
 nucliadb_utils/tests/unit/storages/test_pg.py,sha256=sJfUttMSzq8W1XYolAUcMxl_R5HcEzb5fpCklPeMJiY,17000
 nucliadb_utils/tests/unit/storages/test_storage.py,sha256=VFpRq6Q6BjnIrBQCumYzR8DQUacwhxt5CzTKSlqqD24,6892
-nucliadb_utils-2.44.2.post353.dist-info/METADATA,sha256=aRrRVotMIrJNyXT12mr6MjRVriJ7mtEYtBRl8MCRLro,1978
-nucliadb_utils-2.44.2.post353.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-nucliadb_utils-2.44.2.post353.dist-info/top_level.txt,sha256=fE3vJtALTfgh7bcAWcNhcfXkNPp_eVVpbKK-2IYua3E,15
-nucliadb_utils-2.44.2.post353.dist-info/zip-safe,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
-nucliadb_utils-2.44.2.post353.dist-info/RECORD,,
+nucliadb_utils-2.44.2.post354.dist-info/METADATA,sha256=ry3N2eeoqt0rxNMZIUgkfPZf7OJMKm0-EyDGp53Pmcw,1978
+nucliadb_utils-2.44.2.post354.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+nucliadb_utils-2.44.2.post354.dist-info/top_level.txt,sha256=fE3vJtALTfgh7bcAWcNhcfXkNPp_eVVpbKK-2IYua3E,15
+nucliadb_utils-2.44.2.post354.dist-info/zip-safe,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
+nucliadb_utils-2.44.2.post354.dist-info/RECORD,,

nucliadb_utils/cors.py

@@ -1,210 +0,0 @@
-# Copyright (C) 2021 Bosutech XXI S.L.
-#
-# nucliadb is offered under the AGPL v3.0 and as commercial software.
-# For commercial licensing, contact us at info@nuclia.com.
-#
-# AGPL:
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import functools
-import logging
-import re
-import typing
-
-from starlette.datastructures import Headers, MutableHeaders
-from starlette.responses import PlainTextResponse, Response
-from starlette.types import ASGIApp, Message, Receive, Scope, Send
-
-ALL_METHODS = ("DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT")
-SAFELISTED_HEADERS = {"Accept", "Accept-Language", "Content-Language", "Content-Type"}
-
-logger = logging.getLogger("cors_debug")
-
-
-class CORSMiddleware:
-    def __init__(
-        self,
-        app: ASGIApp,
-        allow_origins: typing.Sequence[str] = (),
-        allow_methods: typing.Sequence[str] = ("GET",),
-        allow_headers: typing.Sequence[str] = (),
-        allow_credentials: bool = False,
-        allow_origin_regex: typing.Optional[str] = None,
-        expose_headers: typing.Sequence[str] = (),
-        max_age: int = 600,
-    ) -> None:
-        if "*" in allow_methods:
-            allow_methods = ALL_METHODS
-
-        compiled_allow_origin_regex = None
-        if allow_origin_regex is not None:
-            compiled_allow_origin_regex = re.compile(allow_origin_regex)
-
-        allow_all_origins = "*" in allow_origins
-        allow_all_headers = "*" in allow_headers
-        preflight_explicit_allow_origin = not allow_all_origins or allow_credentials
-
-        simple_headers = {}
-        if allow_all_origins:
-            simple_headers["Access-Control-Allow-Origin"] = "*"
-        if allow_credentials:
-            simple_headers["Access-Control-Allow-Credentials"] = "true"
-        if expose_headers:
-            simple_headers["Access-Control-Expose-Headers"] = ", ".join(expose_headers)
-
-        preflight_headers = {}
-        if preflight_explicit_allow_origin:
-            # The origin value will be set in preflight_response() if it is allowed.
-            preflight_headers["Vary"] = "Origin"
-        else:
-            preflight_headers["Access-Control-Allow-Origin"] = "*"
-        preflight_headers.update(
-            {
-                "Access-Control-Allow-Methods": ", ".join(allow_methods),
-                "Access-Control-Max-Age": str(max_age),
-            }
-        )
-        allow_headers = sorted(SAFELISTED_HEADERS | set(allow_headers))
-        if allow_headers and not allow_all_headers:
-            preflight_headers["Access-Control-Allow-Headers"] = ", ".join(allow_headers)
-        if allow_credentials:
-            preflight_headers["Access-Control-Allow-Credentials"] = "true"
-
-        self.app = app
-        self.allow_origins = allow_origins
-        self.allow_methods = allow_methods
-        self.allow_headers = [h.lower() for h in allow_headers]
-        self.allow_all_origins = allow_all_origins
-        self.allow_all_headers = allow_all_headers
-        self.preflight_explicit_allow_origin = preflight_explicit_allow_origin
-        self.allow_origin_regex = compiled_allow_origin_regex
-        self.simple_headers = simple_headers
-        self.preflight_headers = preflight_headers
-
-    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
-        if scope["type"] != "http":  # pragma: no cover
-            await self.app(scope, receive, send)
-            return
-
-        method = scope["method"]
-        headers = Headers(scope=scope)
-        origin = headers.get("origin")
-
-        if origin is None:
-            await self.app(scope, receive, send)
-            return
-
-        if method == "OPTIONS" and "access-control-request-method" in headers:
-            response = self.preflight_response(request_headers=headers)
-            await response(scope, receive, send)
-            return
-
-        await self.simple_response(scope, receive, send, request_headers=headers)
-
-    def is_allowed_origin(
-        self, origin: str, allowed_origins: typing.Optional[str]
-    ) -> bool:
-        if allowed_origins:
-            return origin in allowed_origins.split(",")
-
-        if self.allow_all_origins:
-            return True
-
-        if self.allow_origin_regex is not None and self.allow_origin_regex.fullmatch(
-            origin
-        ):
-            return True
-
-        return origin in self.allow_origins
-
-    def preflight_response(self, request_headers: Headers) -> Response:
-        logger.info(f"CORS DEBUG REQUEST: {str(request_headers)}")
-        requested_origin = request_headers["origin"]
-        requested_method = request_headers["access-control-request-method"]
-        requested_headers = request_headers.get("access-control-request-headers")
-
-        headers = dict(self.preflight_headers)
-        failures = []
-
-        allowed_origins = request_headers.get("x-nucliadb-cors-allowed-origins")
-        if self.is_allowed_origin(
-            origin=requested_origin, allowed_origins=allowed_origins
-        ):
-            if self.preflight_explicit_allow_origin:
-                # The "else" case is already accounted for in self.preflight_headers
-                # and the value would be "*".
-                headers["Access-Control-Allow-Origin"] = requested_origin
-        else:
-            failures.append("origin")
-
-        if requested_method not in self.allow_methods:
-            failures.append("method")
-
-        # If we allow all headers, then we have to mirror back any requested
-        # headers in the response.
-        if self.allow_all_headers and requested_headers is not None:
-            headers["Access-Control-Allow-Headers"] = requested_headers
-        elif requested_headers is not None:
-            for header in [h.lower() for h in requested_headers.split(",")]:
-                if header.strip() not in self.allow_headers:
-                    failures.append("headers")
-                    break
-
-        # We don't strictly need to use 400 responses here, since its up to
-        # the browser to enforce the CORS policy, but its more informative
-        # if we do.
-        if failures:
-            failure_text = "Disallowed CORS " + ", ".join(failures)
-            return PlainTextResponse(failure_text, status_code=400, headers=headers)
-
-        return PlainTextResponse("OK", status_code=200, headers=headers)
-
-    async def simple_response(
-        self, scope: Scope, receive: Receive, send: Send, request_headers: Headers
-    ) -> None:
-        send = functools.partial(self.send, send=send, request_headers=request_headers)
-        await self.app(scope, receive, send)
-
-    async def send(
-        self, message: Message, send: Send, request_headers: Headers
-    ) -> None:
-        if message["type"] != "http.response.start":
-            await send(message)
-            return
-
-        message.setdefault("headers", [])
-        headers = MutableHeaders(scope=message)
-        headers.update(self.simple_headers)
-        origin = request_headers["Origin"]
-        has_cookie = "cookie" in request_headers
-
-        # If request includes any cookie headers, then we must respond
-        # with the specific origin instead of '*'.
-        if self.allow_all_origins and has_cookie:
-            self.allow_explicit_origin(headers, origin)
-
-        # If we only allow specific origins, then we have to mirror back
-        # the Origin header in the response.
-        elif not self.allow_all_origins and self.is_allowed_origin(
-            origin=origin,
-            allowed_origins=headers.get("x-nucliadb-cors-allowed-origins"),
-        ):
-            self.allow_explicit_origin(headers, origin)
-
-        await send(message)
-
-    @staticmethod
-    def allow_explicit_origin(headers: MutableHeaders, origin: str) -> None:
-        headers["Access-Control-Allow-Origin"] = origin
-        headers.add_vary_header("Origin")

nucliadb_utils/tests/unit/test_cors.py

@@ -1,633 +0,0 @@
-# Copyright (C) 2021 Bosutech XXI S.L.
-#
-# nucliadb is offered under the AGPL v3.0 and as commercial software.
-# For commercial licensing, contact us at info@nuclia.com.
-#
-# AGPL:
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import functools
-from typing import Any, Callable, Literal
-
-import pytest
-from starlette.applications import Starlette
-from starlette.middleware import Middleware
-from starlette.requests import Request
-from starlette.responses import PlainTextResponse
-from starlette.routing import Route
-from starlette.testclient import TestClient
-from starlette.types import ASGIApp
-
-from nucliadb_utils.cors import CORSMiddleware
-
-TestClientFactory = Callable[[ASGIApp], TestClient]
-
-
-@pytest.fixture
-def anyio_backend():
-    return "asyncio"
-
-
-@pytest.fixture
-def test_client_factory(
-    anyio_backend_name: Literal["asyncio"],
-    anyio_backend_options: dict[str, Any],
-) -> TestClientFactory:
-    # anyio_backend_name defined by:
-    # https://anyio.readthedocs.io/en/stable/testing.html#specifying-the-backends-to-run-on
-    return functools.partial(
-        TestClient,
-        backend=anyio_backend_name,
-        backend_options=anyio_backend_options,
-    )
-
-
-def test_cors_allow_all(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse("Homepage", status_code=200)
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[
-            Middleware(
-                CORSMiddleware,
-                allow_origins=["*"],
-                allow_headers=["*"],
-                allow_methods=["*"],
-                expose_headers=["X-Status"],
-                allow_credentials=True,
-            )
-        ],
-    )
-
-    client = test_client_factory(app)
-
-    # Test pre-flight response
-    headers = {
-        "Origin": "https://example.org",
-        "Access-Control-Request-Method": "GET",
-        "Access-Control-Request-Headers": "X-Example",
-    }
-    response = client.options("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "OK"
-    assert response.headers["access-control-allow-origin"] == "https://example.org"
-    assert response.headers["access-control-allow-headers"] == "X-Example"
-    assert response.headers["access-control-allow-credentials"] == "true"
-    assert response.headers["vary"] == "Origin"
-
-    # Test standard response
-    headers = {"Origin": "https://example.org"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert response.headers["access-control-allow-origin"] == "*"
-    assert response.headers["access-control-expose-headers"] == "X-Status"
-    assert response.headers["access-control-allow-credentials"] == "true"
-
-    # Test standard credentialed response
-    headers = {"Origin": "https://example.org", "Cookie": "star_cookie=sugar"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert response.headers["access-control-allow-origin"] == "https://example.org"
-    assert response.headers["access-control-expose-headers"] == "X-Status"
-    assert response.headers["access-control-allow-credentials"] == "true"
-
-    # Test non-CORS response
-    response = client.get("/")
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert "access-control-allow-origin" not in response.headers
-
-
-def test_cors_allow_all_except_credentials(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse("Homepage", status_code=200)
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[
-            Middleware(
-                CORSMiddleware,
-                allow_origins=["*"],
-                allow_headers=["*"],
-                allow_methods=["*"],
-                expose_headers=["X-Status"],
-            )
-        ],
-    )
-
-    client = test_client_factory(app)
-
-    # Test pre-flight response
-    headers = {
-        "Origin": "https://example.org",
-        "Access-Control-Request-Method": "GET",
-        "Access-Control-Request-Headers": "X-Example",
-    }
-    response = client.options("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "OK"
-    assert response.headers["access-control-allow-origin"] == "*"
-    assert response.headers["access-control-allow-headers"] == "X-Example"
-    assert "access-control-allow-credentials" not in response.headers
-    assert "vary" not in response.headers
-
-    # Test standard response
-    headers = {"Origin": "https://example.org"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert response.headers["access-control-allow-origin"] == "*"
-    assert response.headers["access-control-expose-headers"] == "X-Status"
-    assert "access-control-allow-credentials" not in response.headers
-
-    # Test non-CORS response
-    response = client.get("/")
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert "access-control-allow-origin" not in response.headers
-
-
-def test_cors_allow_specific_origin(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse("Homepage", status_code=200)
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[
-            Middleware(
-                CORSMiddleware,
-                allow_origins=["https://example.org"],
-                allow_headers=["X-Example", "Content-Type"],
-            )
-        ],
-    )
-
-    client = test_client_factory(app)
-
-    # Test pre-flight response
-    headers = {
-        "Origin": "https://example.org",
-        "Access-Control-Request-Method": "GET",
-        "Access-Control-Request-Headers": "X-Example, Content-Type",
-    }
-    response = client.options("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "OK"
-    assert response.headers["access-control-allow-origin"] == "https://example.org"
-    assert response.headers["access-control-allow-headers"] == (
-        "Accept, Accept-Language, Content-Language, Content-Type, X-Example"
-    )
-    assert "access-control-allow-credentials" not in response.headers
-
-    # Test standard response
-    headers = {"Origin": "https://example.org"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert response.headers["access-control-allow-origin"] == "https://example.org"
-    assert "access-control-allow-credentials" not in response.headers
-
-    # Test non-CORS response
-    response = client.get("/")
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert "access-control-allow-origin" not in response.headers
-
-
-def test_cors_disallowed_preflight(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> None:
-        pass  # pragma: no cover
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[
-            Middleware(
-                CORSMiddleware,
-                allow_origins=["https://example.org"],
-                allow_headers=["X-Example"],
-            )
-        ],
-    )
-
-    client = test_client_factory(app)
-
-    # Test pre-flight response
-    headers = {
-        "Origin": "https://another.org",
-        "Access-Control-Request-Method": "POST",
-        "Access-Control-Request-Headers": "X-Nope",
-    }
-    response = client.options("/", headers=headers)
-    assert response.status_code == 400
-    assert response.text == "Disallowed CORS origin, method, headers"
-    assert "access-control-allow-origin" not in response.headers
-
-    # Bug specific test, https://github.com/encode/starlette/pull/1199
-    # Test preflight response text with multiple disallowed headers
-    headers = {
-        "Origin": "https://example.org",
-        "Access-Control-Request-Method": "GET",
-        "Access-Control-Request-Headers": "X-Nope-1, X-Nope-2",
-    }
-    response = client.options("/", headers=headers)
-    assert response.text == "Disallowed CORS headers"
-
-
-def test_preflight_allows_request_origin_if_origins_wildcard_and_credentials_allowed(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> None:
-        return  # pragma: no cover
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[
-            Middleware(
-                CORSMiddleware,
-                allow_origins=["*"],
-                allow_methods=["POST"],
-                allow_credentials=True,
-            )
-        ],
-    )
-
-    client = test_client_factory(app)
-
-    # Test pre-flight response
-    headers = {
-        "Origin": "https://example.org",
-        "Access-Control-Request-Method": "POST",
-    }
-    response = client.options(
-        "/",
-        headers=headers,
-    )
-    assert response.status_code == 200
-    assert response.headers["access-control-allow-origin"] == "https://example.org"
-    assert response.headers["access-control-allow-credentials"] == "true"
-    assert response.headers["vary"] == "Origin"
-
-
-def test_cors_preflight_allow_all_methods(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> None:
-        pass  # pragma: no cover
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[
-            Middleware(CORSMiddleware, allow_origins=["*"], allow_methods=["*"])
-        ],
-    )
-
-    client = test_client_factory(app)
-
-    headers = {
-        "Origin": "https://example.org",
-        "Access-Control-Request-Method": "POST",
-    }
-
-    for method in ("DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"):
-        response = client.options("/", headers=headers)
-        assert response.status_code == 200
-        assert method in response.headers["access-control-allow-methods"]
-
-
-def test_cors_allow_all_methods(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse("Homepage", status_code=200)
-
-    app = Starlette(
-        routes=[
-            Route(
-                "/",
-                endpoint=homepage,
-                methods=["delete", "get", "head", "options", "patch", "post", "put"],
-            )
-        ],
-        middleware=[
-            Middleware(CORSMiddleware, allow_origins=["*"], allow_methods=["*"])
-        ],
-    )
-
-    client = test_client_factory(app)
-
-    headers = {"Origin": "https://example.org"}
-
-    for method in ("patch", "post", "put"):
-        response = getattr(client, method)("/", headers=headers, json={})
-        assert response.status_code == 200
-    for method in ("delete", "get", "head", "options"):
-        response = getattr(client, method)("/", headers=headers)
-        assert response.status_code == 200
-
-
-def test_cors_allow_origin_regex(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse("Homepage", status_code=200)
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[
-            Middleware(
-                CORSMiddleware,
-                allow_headers=["X-Example", "Content-Type"],
-                allow_origin_regex="https://.*",
-                allow_credentials=True,
-            )
-        ],
-    )
-
-    client = test_client_factory(app)
-
-    # Test standard response
-    headers = {"Origin": "https://example.org"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert response.headers["access-control-allow-origin"] == "https://example.org"
-    assert response.headers["access-control-allow-credentials"] == "true"
-
-    # Test standard credentialed response
-    headers = {"Origin": "https://example.org", "Cookie": "star_cookie=sugar"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert response.headers["access-control-allow-origin"] == "https://example.org"
-    assert response.headers["access-control-allow-credentials"] == "true"
-
-    # Test disallowed standard response
-    # Note that enforcement is a browser concern. The disallowed-ness is reflected
-    # in the lack of an "access-control-allow-origin" header in the response.
-    headers = {"Origin": "http://example.org"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert "access-control-allow-origin" not in response.headers
-
-    # Test pre-flight response
-    headers = {
-        "Origin": "https://another.com",
-        "Access-Control-Request-Method": "GET",
-        "Access-Control-Request-Headers": "X-Example, content-type",
-    }
-    response = client.options("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "OK"
-    assert response.headers["access-control-allow-origin"] == "https://another.com"
-    assert response.headers["access-control-allow-headers"] == (
-        "Accept, Accept-Language, Content-Language, Content-Type, X-Example"
-    )
-    assert response.headers["access-control-allow-credentials"] == "true"
-
-    # Test disallowed pre-flight response
-    headers = {
-        "Origin": "http://another.com",
-        "Access-Control-Request-Method": "GET",
-        "Access-Control-Request-Headers": "X-Example",
-    }
-    response = client.options("/", headers=headers)
-    assert response.status_code == 400
-    assert response.text == "Disallowed CORS origin"
-    assert "access-control-allow-origin" not in response.headers
-
-
-def test_cors_allow_origin_regex_fullmatch(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse("Homepage", status_code=200)
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[
-            Middleware(
-                CORSMiddleware,
-                allow_headers=["X-Example", "Content-Type"],
-                allow_origin_regex=r"https://.*\.example.org",
-            )
-        ],
-    )
-
-    client = test_client_factory(app)
-
-    # Test standard response
-    headers = {"Origin": "https://subdomain.example.org"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert (
-        response.headers["access-control-allow-origin"]
-        == "https://subdomain.example.org"
-    )
-    assert "access-control-allow-credentials" not in response.headers
-
-    # Test diallowed standard response
-    headers = {"Origin": "https://subdomain.example.org.hacker.com"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert "access-control-allow-origin" not in response.headers
-
-
-def test_cors_credentialed_requests_return_specific_origin(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse("Homepage", status_code=200)
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[Middleware(CORSMiddleware, allow_origins=["*"])],
-    )
-    client = test_client_factory(app)
-
-    # Test credentialed request
-    headers = {"Origin": "https://example.org", "Cookie": "star_cookie=sugar"}
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.text == "Homepage"
-    assert response.headers["access-control-allow-origin"] == "https://example.org"
-    assert "access-control-allow-credentials" not in response.headers
-
-
-def test_cors_vary_header_defaults_to_origin(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse("Homepage", status_code=200)
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[Middleware(CORSMiddleware, allow_origins=["https://example.org"])],
-    )
-
-    headers = {"Origin": "https://example.org"}
-
-    client = test_client_factory(app)
-
-    response = client.get("/", headers=headers)
-    assert response.status_code == 200
-    assert response.headers["vary"] == "Origin"
-
-
-def test_cors_vary_header_is_not_set_for_non_credentialed_request(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse(
-            "Homepage", status_code=200, headers={"Vary": "Accept-Encoding"}
-        )
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[Middleware(CORSMiddleware, allow_origins=["*"])],
-    )
-    client = test_client_factory(app)
-
-    response = client.get("/", headers={"Origin": "https://someplace.org"})
-    assert response.status_code == 200
-    assert response.headers["vary"] == "Accept-Encoding"
-
-
-def test_cors_vary_header_is_properly_set_for_credentialed_request(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse(
-            "Homepage", status_code=200, headers={"Vary": "Accept-Encoding"}
-        )
-
-    app = Starlette(
-        routes=[Route("/", endpoint=homepage)],
-        middleware=[Middleware(CORSMiddleware, allow_origins=["*"])],
-    )
-    client = test_client_factory(app)
-
-    response = client.get(
-        "/", headers={"Cookie": "foo=bar", "Origin": "https://someplace.org"}
-    )
-    assert response.status_code == 200
-    assert response.headers["vary"] == "Accept-Encoding, Origin"
-
-
-def test_cors_vary_header_is_properly_set_when_allow_origins_is_not_wildcard(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse(
-            "Homepage", status_code=200, headers={"Vary": "Accept-Encoding"}
-        )
-
-    app = Starlette(
-        routes=[
-            Route("/", endpoint=homepage),
-        ],
-        middleware=[Middleware(CORSMiddleware, allow_origins=["https://example.org"])],
-    )
-    client = test_client_factory(app)
-
-    response = client.get("/", headers={"Origin": "https://example.org"})
-    assert response.status_code == 200
-    assert response.headers["vary"] == "Accept-Encoding, Origin"
-
-
-def test_cors_allowed_origin_does_not_leak_between_credentialed_requests(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse("Homepage", status_code=200)
-
-    app = Starlette(
-        routes=[
-            Route("/", endpoint=homepage),
-        ],
-        middleware=[
-            Middleware(
-                CORSMiddleware,
-                allow_origins=["*"],
-                allow_headers=["*"],
-                allow_methods=["*"],
-            )
-        ],
-    )
-
-    client = test_client_factory(app)
-    response = client.get("/", headers={"Origin": "https://someplace.org"})
-    assert response.headers["access-control-allow-origin"] == "*"
-    assert "access-control-allow-credentials" not in response.headers
-
-    response = client.get(
-        "/", headers={"Cookie": "foo=bar", "Origin": "https://someplace.org"}
-    )
-    assert response.headers["access-control-allow-origin"] == "https://someplace.org"
-    assert "access-control-allow-credentials" not in response.headers
-
-    response = client.get("/", headers={"Origin": "https://someplace.org"})
-    assert response.headers["access-control-allow-origin"] == "*"
-    assert "access-control-allow-credentials" not in response.headers
-
-
-def test_cors_x_nucliadb_cors_allowed_origins(
-    test_client_factory: TestClientFactory,
-) -> None:
-    def homepage(request: Request) -> PlainTextResponse:
-        return PlainTextResponse(
-            "Homepage",
-            status_code=200,
-            headers={
-                "Vary": "Accept-Encoding",
-                "x-nucliadb-cors-allowed-origins": "https://example-a.org,https://example-b.org",
-            },
-        )
-
-    app = Starlette(
-        routes=[
-            Route("/", endpoint=homepage),
-        ],
-        middleware=[Middleware(CORSMiddleware, allow_origins=["https://example.org"])],
-    )
-    client = test_client_factory(app)
-
-    response = client.get("/", headers={"Origin": "https://example.org"})
-
-    assert response.status_code == 200
-    assert response.headers["vary"] == "Accept-Encoding"
-    assert "access-control-allow-origin" not in response.headers
-
-    response = client.get("/", headers={"Origin": "https://example-a.org"})
-    assert response.status_code == 200
-    assert response.headers["vary"] == "Accept-Encoding, Origin"
-    assert response.headers["access-control-allow-origin"] == "https://example-a.org"
-
-    response = client.get("/", headers={"Origin": "https://example-b.org"})
-    assert response.status_code == 200
-    assert response.headers["vary"] == "Accept-Encoding, Origin"
-    assert response.headers["access-control-allow-origin"] == "https://example-b.org"