Merge pull request #72 from geoadmin/develop

New Release v1.3.0 - #minor
geoadmin · Oct 10, 2023 · fcb6965 · fcb6965
2 parents d324935 + 2f1aa6f
commit fcb6965
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 96 deletions.
diff --git a/Makefile b/Makefile
@@ -60,7 +60,6 @@ help:
 	@echo "Possible targets:"
 	@echo -e " \033[1mSetup TARGETS\033[0m "
 	@echo "- setup              Create the python virtual environment and activate it"
-	@echo "- dev                Create the python virtual environment with developper tools and activate it"
 	@echo "- ci                 Create the python virtual environment and install requirements based on the Pipfile.lock"
 	@echo -e " \033[1mFORMATING, LINTING AND TESTING TOOLS TARGETS\033[0m "
 	@echo "- format             Format the python source code"
@@ -84,15 +83,9 @@ help:
 
 # Build targets. Calling setup is all that is needed for the local files to be installed as needed.
 
-.PHONY: dev
-dev:
-	pipenv install --dev
-	pipenv shell
-
-
 .PHONY: setup
 setup:
-	pipenv install
+	pipenv install --dev
 	pipenv shell
 
 

diff --git a/README.md b/README.md
@@ -172,3 +172,5 @@ The service is configured by Environment Variable:
 | FORWARDED_PROTO_HEADER_NAME | `X-Forwarded-Proto` | Sets gunicorn `secure_scheme_headers` parameter to `{${FORWARDED_PROTO_HEADER_NAME}: 'https'}`. This settings is required in order to generate correct URLs in the service responses. See [Gunicorn Doc](https://docs.gunicorn.org/en/stable/settings.html#secure-scheme-headers). |
 | SCRIPT_NAME | `''` | If the service is behind a reverse proxy and not served at the root, the route prefix must be set in `SCRIPT_NAME`. |
 | WSGI_TIMEOUT | `5` | WSGI timeout. |
+| GUNICORN_TMPFS_DIR | `None` |The working directory for the gunicorn workers. |
+| WSGI_WORKERS | `2` | The number of workers per CPU. | 
diff --git a/app/__init__.py b/app/__init__.py
@@ -81,18 +81,22 @@ def validate_origin():
         logger.error('Origin=%s does not match %s', origin, ALLOWED_DOMAINS_PATTERN)
         abort(403, 'Permission denied')
 
-    if sec_fetch_site is not None:
-        if sec_fetch_site in ['same-origin', 'same-site']:
-            return
-        logger.error('Sec-Fetch-Site=%s is not allowed', sec_fetch_site)
-        abort(403, 'Permission denied')
-
+    # BGDIINF_SB-3115: Apparently IOS 16 has a bug and set Sec-Fetch-Site=cross-site even if the
+    # request is originated (same origin and/or referrer) from the same site ! Therefore to avoid
+    # issue on IOS we first checks the referrer before checking Sec-Fetch-Site even if this not
+    # correct.
     if referrer is not None:
         if is_domain_allowed(referrer):
             return
         logger.error('Referer=%s does not match %s', referrer, ALLOWED_DOMAINS_PATTERN)
         abort(403, 'Permission denied')
 
+    if sec_fetch_site is not None:
+        if sec_fetch_site in ['same-origin', 'same-site']:
+            return
+        logger.error('Sec-Fetch-Site=%s is not allowed', sec_fetch_site)
+        abort(403, 'Permission denied')
+
     logger.error('Referer and/or Origin and/or Sec-Fetch-Site headers not set')
     abort(403, 'Permission denied')
 

diff --git a/buildspec.yml b/buildspec.yml
diff --git a/wsgi.py b/wsgi.py
@@ -32,7 +32,9 @@ def load(self):
     options = {
         'bind': f"0.0.0.0:{HTTP_PORT}",
         'worker_class': 'gevent',
-        'workers': 2,  # scaling horizontally is left to Kubernetes
+        'worker_tmp_dir': os.getenv("GUNICORN_TMPFS_DIR", None),
+        'workers': int(os.getenv('WSGI_WORKERS',
+                                 '2')),  # scaling horizontally is left to Kubernetes
         'timeout': int(os.getenv('WSGI_TIMEOUT', '5')),
         'logconfig_dict': get_logging_cfg(),
         'forwarded_allow_ips': os.getenv('FORWARED_ALLOW_IPS', '*'),