Use CORS origin regex for Tailscale domain

### Lineage `plan-mcd-tracker` → Phase 7c (Local Dev Stack) ### Repo `forgejo_admin/mcd-tracker-api` ### User Story As a developer adding new dev URLs (mcd-tracker-dev, capacitor-dev, future hostnames) I want the API to accept CORS from any *.tail5b443a.ts.net hostname automatically So that I never have to update CORS origins and redeploy the API just because I created a new Tailscale funnel ### Context Every new dev URL requires a code change to `main.py` CORS origins + a full CI rebuild. This happened twice in one session (capacitor-dev, mcd-tracker-dev). FastAPI's CORSMiddleware supports `allow_origin_regex` which solves this permanently. Non-Tailscale origins (capacitor://localhost, http://localhost) stay as explicit entries. ### File Targets Files to modify: - `src/mcd_tracker_api/main.py` — replace `allow_origins` list with `allow_origin_regex` for Tailscale domain + explicit list for non-Tailscale origins ### Acceptance Criteria - [ ] Any `https://*.tail5b443a.ts.net` origin is accepted by CORS - [ ] `capacitor://localhost` and `http://localhost` still work - [ ] `http://localhost:5173` still works - [ ] Random external domains are rejected - [ ] Existing tests pass ### Test Expectations - [ ] `pytest` passes - [ ] Manual: `curl -H "Origin: https://anything.tail5b443a.ts.net" -I http://localhost:8000/healthz` returns `Access-Control-Allow-Origin` header - [ ] Manual: `curl -H "Origin: https://evil.com" -I http://localhost:8000/healthz` does NOT return the header - Run command: `cd ~/mcd-tracker-api && .venv/bin/pytest` ### Constraints - Use `allow_origin_regex` from FastAPI CORSMiddleware — not a custom middleware - The tailscale domain should come from config/settings, not hardcoded (use `settings.tailscale_domain` or similar) - Keep `capacitor://localhost` and `http://localhost*` as explicit allowed origins (regex can't cover non-https schemes cleanly) ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `mcd-tracker` — project this affects - `plan-mcd-tracker` — Phase 7c - `sop-capacitor-mobile-lifecycle` — this eliminates the CORS step from dev setup

forgejo_admin commented

2026-03-17 07:41:08 +00:00

Contributor

Lineage

plan-mcd-tracker → Phase 7c (Local Dev Stack)

Repo

forgejo_admin/mcd-tracker-api

User Story

As a developer adding new dev URLs (mcd-tracker-dev, capacitor-dev, future hostnames)
I want the API to accept CORS from any *.tail5b443a.ts.net hostname automatically
So that I never have to update CORS origins and redeploy the API just because I created a new Tailscale funnel

Context

Every new dev URL requires a code change to main.py CORS origins + a full CI rebuild. This happened twice in one session (capacitor-dev, mcd-tracker-dev). FastAPI's CORSMiddleware supports allow_origin_regex which solves this permanently. Non-Tailscale origins (capacitor://localhost, http://localhost) stay as explicit entries.

File Targets

Files to modify:

src/mcd_tracker_api/main.py — replace allow_origins list with allow_origin_regex for Tailscale domain + explicit list for non-Tailscale origins

Acceptance Criteria

Any https://*.tail5b443a.ts.net origin is accepted by CORS
capacitor://localhost and http://localhost still work
http://localhost:5173 still works
Random external domains are rejected
Existing tests pass

Test Expectations

pytest passes
Manual: curl -H "Origin: https://anything.tail5b443a.ts.net" -I http://localhost:8000/healthz returns Access-Control-Allow-Origin header
Manual: curl -H "Origin: https://evil.com" -I http://localhost:8000/healthz does NOT return the header
Run command: cd ~/mcd-tracker-api && .venv/bin/pytest

Constraints

Use allow_origin_regex from FastAPI CORSMiddleware — not a custom middleware
The tailscale domain should come from config/settings, not hardcoded (use settings.tailscale_domain or similar)
Keep capacitor://localhost and http://localhost* as explicit allowed origins (regex can't cover non-https schemes cleanly)