Add CORS to the API. Fix #404 (#407)

2 files changed, 12 insertions, 0 deletions

diff --git a/ihatemoney/api.py b/ihatemoney/api.py
index 6068cf7..c9c5376 100644
--- a/ihatemoney/api.py
+++ b/ihatemoney/api.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 from flask import Blueprint, request
 from flask_restful import Resource, Api, abort
+from flask_cors import CORS
 from wtforms.fields.core import BooleanField
 
 from ihatemoney.models import db, Project, Person, Bill
@@ -11,6 +12,7 @@ from functools import wraps
 
 
 api = Blueprint("api", __name__, url_prefix="/api")
+CORS(api)
 restful_api = Api(api)
 
 
diff --git a/ihatemoney/tests/tests.py b/ihatemoney/tests/tests.py
index f368780..17b3a8d 100644
--- a/ihatemoney/tests/tests.py
+++ b/ihatemoney/tests/tests.py
@@ -1020,6 +1020,16 @@ class APITestCase(IhatemoneyTestCase):
             ('%s:%s' % (username, password)).encode('utf-8')).decode('utf-8').replace('\n', '')
         return {"Authorization": "Basic %s" % base64string}
 
+    def test_cors_requests(self):
+        # Create a project and test that CORS headers are present if requested.
+        resp = self.api_create("raclette")
+        self.assertStatus(201, resp)
+
+        # Try to do an OPTIONS requests and see if the headers are correct.
+        resp = self.client.options("/api/projects/raclette",
+                                   headers=self.get_auth("raclette"))
+        self.assertEqual(resp.headers['Access-Control-Allow-Origin'], '*')
+
     def test_basic_auth(self):
         # create a project
         resp = self.api_create("raclette")