Use whitenoise for static file handling (#6662)

* Update config_template.yaml file

* Adjust ALLOWED_HOSTS behaviour

- Only add wildcard * in DEBUG mode
- Exit if ALLOWED_HOSTS not defined

* Tweak error message

* Use whitenoise for serving static files

- Any requests to /static/ are handled by whitenoise
- If an external reverse proxy (e.g. Caddy) is being used, this will not make a difference

* Update python package requirements

* Add extra log output

* Update ENV for CI checks

* Updates

- Thow error but do not exit
- Revert CI changes

InvenTree/InvenTree/settings.py

@@ -205,6 +205,7 @@ INSTALLED_APPS = [
     'django.contrib.auth',
     'django.contrib.contenttypes',
     'user_sessions',  # db user sessions
+    'whitenoise.runserver_nostatic',
     'django.contrib.messages',
     'django.contrib.staticfiles',
     'django.contrib.sites',
@@ -249,6 +250,7 @@ MIDDLEWARE = CONFIG.get(
         'django.middleware.locale.LocaleMiddleware',
         'django.middleware.csrf.CsrfViewMiddleware',
         'corsheaders.middleware.CorsMiddleware',
+        'whitenoise.middleware.WhiteNoiseMiddleware',
         'django.middleware.common.CommonMiddleware',
         'django.contrib.auth.middleware.AuthenticationMiddleware',
         'InvenTree.middleware.InvenTreeRemoteUserMiddleware',  # Remote / proxy auth
@@ -975,13 +977,24 @@ if not SITE_MULTI:
 ALLOWED_HOSTS = get_setting(
     'INVENTREE_ALLOWED_HOSTS',
     config_key='allowed_hosts',
-    default_value=['*'],
+    default_value=[],
     typecast=list,
 )
 
+if DEBUG and not ALLOWED_HOSTS:
+    logger.warning(
+        'No ALLOWED_HOSTS specified. Defaulting to ["*"] for debug mode. This is not recommended for production use'
+    )
+    ALLOWED_HOSTS = ['*']
+
 if SITE_URL and SITE_URL not in ALLOWED_HOSTS:
     ALLOWED_HOSTS.append(SITE_URL)
 
+if not ALLOWED_HOSTS:
+    logger.error(
+        'No ALLOWED_HOSTS specified. Please provide a list of allowed hosts, or specify INVENTREE_SITE_URL'
+    )
+
 # List of trusted origins for unsafe requests
 # Ref: https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins
 CSRF_TRUSTED_ORIGINS = get_setting(
@@ -1048,6 +1061,15 @@ CORS_ALLOWED_ORIGIN_REGEXES = get_setting(
 if DEBUG:
     CORS_ALLOWED_ORIGIN_REGEXES.append(r'^http://localhost:\d+$')
 
+if CORS_ALLOW_ALL_ORIGINS:
+    logger.info('CORS: All origins allowed')
+else:
+    if CORS_ALLOWED_ORIGINS:
+        logger.info('CORS: Whitelisted origins: %s', CORS_ALLOWED_ORIGINS)
+
+    if CORS_ALLOWED_ORIGIN_REGEXES:
+        logger.info('CORS: Whitelisted origin regexes: %s', CORS_ALLOWED_ORIGIN_REGEXES)
+
 for app in SOCIAL_BACKENDS:
     # Ensure that the app starts with 'allauth.socialaccount.providers'
     social_prefix = 'allauth.socialaccount.providers.'

InvenTree/config_template.yaml

@@ -163,14 +163,14 @@ auto_update: False
 # Allowed hosts (see ALLOWED_HOSTS in Django settings documentation)
 # A list of strings representing the host/domain names that this Django site can serve.
 # Default behaviour is to allow all hosts (THIS IS NOT SECURE!)
-allowed_hosts:
-  - '*'
+# allowed_hosts:
+# - '*'
 
 # Trusted origins (see CSRF_TRUSTED_ORIGINS in Django settings documentation)
 # If you are running behind a proxy, you may need to add the proxy address here
-trusted_origins:
-  - 'http://localhost:8000'
-
+# trusted_origins:
+#   - 'http://localhost'
+#   - 'http://*.localhost'
 
 # Proxy forwarding settings
 # If InvenTree is running behind a proxy, you may need to configure these settings
@@ -183,13 +183,16 @@ use_x_forwarded_port: false
 
 # Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers)
 cors:
-  allow_all: True
-  allow_credentials: True,
+  allow_credentials: true
+
+  # allow_all: false
 
   # whitelist:
   # - https://example.com
   # - https://sub.example.com
 
+  # regex:
+
 # MEDIA_ROOT is the local filesystem location for storing uploaded files
 #media_root: '/home/inventree/data/media'