Skip to content

feat: add cors middleware to api server#374

Open
Scr4tch587 wants to merge 1 commit into
mainfrom
kai/cors-middleware
Open

feat: add cors middleware to api server#374
Scr4tch587 wants to merge 1 commit into
mainfrom
kai/cors-middleware

Conversation

@Scr4tch587

Copy link
Copy Markdown
Collaborator

What changed

  • added `CORSMiddleware` to `builders/server/main.py`, configured via a new `CORS_ALLOW_ORIGINS` env var (comma-separated exact origins). defaults to the GitHub Pages origin (`https://wat-street.github.io\`) + the local Vite dev server (`http://localhost:5173\`)
  • middleware is added last so it wraps outermost: preflight `OPTIONS` requests short-circuit before auth and request-context logging
  • documented the env var in `infra/.env.template` (flows into the builder container via the existing `env_file`)
  • added `tests/core/api/test_cors.py`: allowed origin preflight (incl. `Authorization` header), dev origin, unknown origin rejected

Why

The frontend is being migrated to a React app deployed on GitHub Pages, which is a different origin than the API — browsers won't send the `Authorization: Bearer` header cross-origin without CORS approval.

Benefit

Browser clients on the Pages origin (and local dev) can call the API. Auth is unchanged: every non-public route still requires a valid API key; CORS only permits the browser to send it. `allow_credentials` stays off since we use a bearer header, not cookies.

🤖 Generated with Claude Code

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant