fix: add CORS middleware to allow pal-e-production frontend #258

New issue

Closed

opened 2026-04-12 15:45:09 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-04-12 15:45:09 +00:00

Contributor

Type

Bug

Lineage

Standalone — discovered during gdocs-daily-mcp-remote scoping session while trying to view newly created architecture notes.

Repo

forgejo_admin/pal-e-api

What Broke

The pal-e-docs API has no CORS middleware. The pal-e-production frontend (pal-e-production.tail5b443a.ts.net) makes client-side fetch() calls to the API (pal-e-docs.tail5b443a.ts.net). Browsers block these cross-origin requests with:

Access to fetch at 'https://pal-e-docs.tail5b443a.ts.net/notes/...' from origin 'https://pal-e-production.tail5b443a.ts.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Repro Steps

Navigate to https://pal-e-production.tail5b443a.ts.net/notes/story-gdocs-daily-mobile-daily-review
Open browser DevTools console
Observe: CORS errors on all fetch requests to pal-e-docs.tail5b443a.ts.net

Expected Behavior

API returns proper Access-Control-Allow-Origin headers. Notes render in the browser.

Environment

Cluster/namespace: prod / pal-e-docs
Service version/commit: 89f663b
Frontend: pal-e-production (8 days old, SvelteKit client-side rendering)

Acceptance Criteria

pal-e-production.tail5b443a.ts.net can fetch from pal-e-docs.tail5b443a.ts.net without CORS errors
Notes render in the browser at the production URL
Allowed origins configurable via env var (PALDOCS_ALLOWED_ORIGINS)
No regression — existing MCP and direct API consumers still work

project-pal-e-platform — platform project
File targets: src/pal_e_docs/main.py (add CORSMiddleware), src/pal_e_docs/config.py (add allowed_origins setting)

### Type Bug ### Lineage Standalone — discovered during gdocs-daily-mcp-remote scoping session while trying to view newly created architecture notes. ### Repo `forgejo_admin/pal-e-api` ### What Broke The pal-e-docs API has no CORS middleware. The pal-e-production frontend (`pal-e-production.tail5b443a.ts.net`) makes client-side `fetch()` calls to the API (`pal-e-docs.tail5b443a.ts.net`). Browsers block these cross-origin requests with: ``` Access to fetch at 'https://pal-e-docs.tail5b443a.ts.net/notes/...' from origin 'https://pal-e-production.tail5b443a.ts.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. ``` ### Repro Steps 1. Navigate to `https://pal-e-production.tail5b443a.ts.net/notes/story-gdocs-daily-mobile-daily-review` 2. Open browser DevTools console 3. Observe: CORS errors on all fetch requests to `pal-e-docs.tail5b443a.ts.net` ### Expected Behavior API returns proper `Access-Control-Allow-Origin` headers. Notes render in the browser. ### Environment - Cluster/namespace: prod / pal-e-docs - Service version/commit: `89f663b` - Frontend: pal-e-production (8 days old, SvelteKit client-side rendering) ### Acceptance Criteria - [ ] `pal-e-production.tail5b443a.ts.net` can fetch from `pal-e-docs.tail5b443a.ts.net` without CORS errors - [ ] Notes render in the browser at the production URL - [ ] Allowed origins configurable via env var (`PALDOCS_ALLOWED_ORIGINS`) - [ ] No regression — existing MCP and direct API consumers still work ### Related - `project-pal-e-platform` — platform project - File targets: `src/pal_e_docs/main.py` (add CORSMiddleware), `src/pal_e_docs/config.py` (add `allowed_origins` setting)