Merge pull request #75 from DIAGNijmegen/74_same_domain_calls

Allow same domain API calls
DIAGNijmegen · Mar 1, 2021 · 2b61e16 · 2b61e16
2 parents 44c535a + af4f226
commit 2b61e16
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 4 deletions.
diff --git a/HISTORY.rst b/HISTORY.rst
@@ -2,6 +2,12 @@
 History
 =======
 
+0.3.5 (2021-03-01)
+------------------
+
+* Allow same domain calls
+* Normalize API tokens
+
 0.3.4 (2021-02-03)
 ------------------
 

diff --git a/gcapi/__version__.py b/gcapi/__version__.py
@@ -1,3 +1,3 @@
-VERSION = (0, 3, 4)
+VERSION = (0, 3, 5)
 
 __version__ = ".".join(map(str, VERSION))
diff --git a/gcapi/gcapi.py b/gcapi/gcapi.py
@@ -7,7 +7,7 @@
 from random import randint, random
 from time import sleep, time
 from typing import Dict, List, Type
-from urllib.parse import urljoin
+from urllib.parse import urljoin, urlparse
 
 import jsonschema
 from requests import ConnectionError, Session
@@ -498,8 +498,11 @@ def base_url(self):
         return self._base_url
 
     def _validate_url(self, url):
-        if not url.startswith(self._base_url):
-            raise RuntimeError(f"{url} does not start with {self._base_url}")
+        base = urlparse(self._base_url)
+        target = urlparse(url)
+
+        if not target.scheme == "https" or target.netloc != base.netloc:
+            raise RuntimeError(f"Invalid target URL: {url}")
 
     def __call__(
         self,
@@ -520,6 +523,7 @@ def __call__(
             extra_headers["Content-Type"] = "application/json"
 
         self._validate_url(url)
+
         response = self.request(
             method=method,
             url=url,

diff --git a/tests/test_gcapi.py b/tests/test_gcapi.py
@@ -70,6 +70,39 @@ def test_custom_base_url():
     assert c._base_url.startswith("https://example.com")
 
 
+@pytest.mark.parametrize(
+    "url",
+    (
+        "https://example.com/api/v1/",
+        "https://example.com/",
+        "https://example.com",
+        "https://example.com/another/",
+        "https://example.com/../../foo/",
+    ),
+)
+def test_same_domain_calls_are_ok(url):
+    c = Client(token="foo", base_url="https://example.com/api/v1/")
+    assert c._validate_url(url=url) is None
+
+
+@pytest.mark.parametrize(
+    "url",
+    (
+        "https://notexample.com/api/v1/",
+        "http://example.com/api/v1/",
+        "https://exаmple.com/api/v1/",  # а = \u0430
+        "https://sub.example.com/api/v1/",
+        "https://example.com:443/api/v1/",
+        "example.com/api/v1/",
+        "//example.com/api/v1/",
+    ),
+)
+def test_invalid_url_fails(url):
+    c = Client(token="foo", base_url="https://example.com/api/v1/")
+    with pytest.raises(RuntimeError):
+        c._validate_url(url=url)
+
+
 def test_command_line_interface():
     """Test the CLI."""
     runner = CliRunner()