From 5903f1e4940f4f1f3fe582c23db005b240ace215 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iv=C3=A1n=20Todorovich?= <ivan.todorovich@gmail.com>
Date: Thu, 21 May 2026 10:04:42 -0300
Subject: [PATCH] [IMP] endpoint: support cors setting and default to all
 origins

This commits adds support for CORS setting on endpoints.

Without this, the default behavior is to disallow all origins. That's usually
the opposite of what you want for an API endpoint, as you want consumers to be
able to access the endpoint from their own origin.

Now, by default, the endpoint will allow all origins (default="*"), and it can
be further configured for more specific restrictions.
---
 endpoint/tests/test_endpoint.py                         | 3 +++
 endpoint/views/endpoint_view.xml                        | 1 +
 endpoint_route_handler/models/endpoint_route_handler.py | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/endpoint/tests/test_endpoint.py b/endpoint/tests/test_endpoint.py
index 6c41a80f..49030bec 100644
--- a/endpoint/tests/test_endpoint.py
+++ b/endpoint/tests/test_endpoint.py
@@ -140,6 +140,7 @@ def test_routing(self):
                 "methods": ["GET"],
                 "routes": ["/demo/one"],
                 "type": "http",
+                "cors": "*",
                 "csrf": False,
                 "readonly": False,
             },
@@ -161,6 +162,7 @@ def test_routing(self):
                 "methods": ["POST"],
                 "routes": ["/new/one"],
                 "type": "http",
+                "cors": "*",
                 "csrf": False,
                 "readonly": False,
             },
@@ -176,6 +178,7 @@ def test_routing(self):
                 "methods": ["POST"],
                 "routes": ["/foo/new/one"],
                 "type": "http",
+                "cors": "*",
                 "csrf": False,
                 "readonly": False,
             },
diff --git a/endpoint/views/endpoint_view.xml b/endpoint/views/endpoint_view.xml
index d51ddfba..cc50404e 100644
--- a/endpoint/views/endpoint_view.xml
+++ b/endpoint/views/endpoint_view.xml
@@ -67,6 +67,7 @@
                                         required="request_method in ('POST', 'PUT')"
                                         invisible="request_method not in ('POST', 'PUT')"
                                     />
+                                    <field name="cors" />
                                 </group>
                             </group>
                         </page>
diff --git a/endpoint_route_handler/models/endpoint_route_handler.py b/endpoint_route_handler/models/endpoint_route_handler.py
index bba74a54..56e8c07b 100644
--- a/endpoint_route_handler/models/endpoint_route_handler.py
+++ b/endpoint_route_handler/models/endpoint_route_handler.py
@@ -43,6 +43,7 @@ class EndpointRouteHandler(models.AbstractModel):
     endpoint_hash = fields.Char(
         compute="_compute_endpoint_hash", help="Identify the route with its main params"
     )
+    cors = fields.Char(help="Comma-separated list of allowed origins", default="*")
     csrf = fields.Boolean(default=False)
     readonly = fields.Boolean(default=False)
 
@@ -248,6 +249,7 @@ def _get_routing_info(self):
             auth=self.auth_type,
             methods=[self.request_method],
             routes=[route],
+            cors=self.cors,
             csrf=self.csrf,
             readonly=self.readonly,
         )