Add support for Heroku Review Apps

Also fix failing tests.

.github/workflows/python-app.yml

@@ -34,8 +34,3 @@ jobs:
 
       - name: Test
         run: poetry run make unit
-
-      - name: Upload to BlueRacer
-        run: bash <(curl -s https://app.blueracer.io/upload)
-        env:
-          BLUERACER_TOKEN: ${{ secrets.BLUERACER_TOKEN }}

README.rst

@@ -23,6 +23,7 @@ Compatibility
 pyramid_cloudflare_access runs with pyramid>=1.7 and python>=3.6.
 Other versions might also work.
 
+Heroku Review Apps deployed on `*.herokuapp.com` subdomains automatically skip the cloudflare access check as their domains are dynamic and as such can't be configured in Cloudflare dashboard in advance. 
 
 Usage
 -----

pyramid_cloudflare_access/__init__.py

@@ -38,7 +38,7 @@ def __init__(self, handler, registry):
 
     def authenticated_request(self, request: Request) -> bool:
         token = request.cookies.get("CF_Authorization")
-
+        
         if not token:
             raise exc.HTTPBadRequest()
 
@@ -60,6 +60,10 @@ def authenticated_request(self, request: Request) -> bool:
 
     def __call__(self, request: Request):
 
+        # Support for Heroku Review apps
+        if "herokuapp.com" in request.headers.get("Host", ""):
+            return self.handler(request)
+
         if not self.authenticated_request(request):
             raise exc.HTTPForbidden()
 

pyramid_cloudflare_access/tests/test_access.py

@@ -40,7 +40,7 @@
 sample_audience = "https://expenses-api"
 
 
-@pytest.mark.freeze_time("2017-05-21")
+@pytest.mark.freeze_time("2019-10-25 12:36:00")
 def test_happy_path(mocker) -> None:
     """Test that JWT token is parsed and authorized."""
 
@@ -53,7 +53,7 @@ def test_happy_path(mocker) -> None:
     request.cookies = {"CF_Authorization": sample_token}
     request.registry.settings = {
         "pyramid_cloudflare_access.policy_audience": sample_audience,
-        "pyramid_cloudflare_access.team": "auth0",
+        "pyramid_cloudflare_access.team": "https://foo.cloudflareaccess.com",
     }
 
     CloudflareAccess(tween_handler, request.registry)(request)
@@ -71,7 +71,7 @@ def test_missing_cookie(mocker) -> None:
     request = testing.DummyRequest()
     request.registry.settings = {
         "pyramid_cloudflare_access.policy_audience": sample_audience,
-        "pyramid_cloudflare_access.team": "auth0",
+        "pyramid_cloudflare_access.team": "https://foo.cloudflareaccess.com",
     }
     with pytest.raises(HTTPBadRequest):
         CloudflareAccess(tween_handler, request.registry)(request)
@@ -89,7 +89,27 @@ def test_auth_failed(mocker) -> None:
     request.cookies = {"CF_Authorization": sample_token}
     request.registry.settings = {
         "pyramid_cloudflare_access.policy_audience": sample_audience,
-        "pyramid_cloudflare_access.team": "auth0",
+        "pyramid_cloudflare_access.team": "https://foo.cloudflareaccess.com",
     }
     with pytest.raises(HTTPForbidden):
         CloudflareAccess(tween_handler, request.registry)(request)
+
+def test_herokuapp(mocker) -> None:
+    """Test that Cloudflare Access is skipped for Heroku-hosted apps.
+
+    This is to support Review Apps that have dynamic *.herokuapp.com hostname,
+    that cannot be configured as a domain for Cloudflare Access application
+    in Cloudflare dashboard.
+    """
+    tween_handler = mocker.Mock()
+
+    request = testing.DummyRequest()
+    request.cookies = {}
+    request.registry.settings = {
+        "pyramid_cloudflare_access.policy_audience": sample_audience,
+        "pyramid_cloudflare_access.team": "https://foo.cloudflareaccess.com",
+    }
+    request.headers['Host'] = "foo.herokuapp.com"
+
+    CloudflareAccess(tween_handler, request.registry)(request)
+    tween_handler.assert_called_with(request)