fix: add CORS middleware for cross-origin frontend access #260

Merged

forgejo_admin merged 1 commit from 258-fix-add-cors-middleware-to-allow-pal-e-p into main

2026-04-12 16:52:01 +00:00

forgejo_admin commented

2026-04-12 15:47:46 +00:00

Contributor

Summary

Adds CORSMiddleware to the FastAPI app so the frontend at pal-e-production.tail5b443a.ts.net can make cross-origin fetch() calls to the API without being blocked by browser CORS policy. Origins are configured via the PALDOCS_ALLOWED_ORIGINS env var (comma-separated).

Changes

src/pal_e_docs/config.py — Added allowed_origins: str = "" to Settings (env var: PALDOCS_ALLOWED_ORIGINS)
src/pal_e_docs/main.py — Import CORSMiddleware from starlette and conditionally add it when origins are configured. Allows GET/POST/PUT/PATCH/DELETE/OPTIONS methods, all headers, no credentials.

Test Plan

Deploy with PALDOCS_ALLOWED_ORIGINS=https://pal-e-production.tail5b443a.ts.net set in the environment
From the frontend, make a fetch() call to the API and verify no CORS error in browser console
Verify OPTIONS preflight returns correct Access-Control-Allow-Origin header
Verify that requests from unlisted origins are still blocked
With PALDOCS_ALLOWED_ORIGINS unset/empty, verify no CORS headers are added (backward compatible)

Review Checklist

ruff check and ruff format pass
No new dependencies required (starlette ships with FastAPI)
No wildcard * default origin — origins must be explicitly configured
Backward compatible — empty default means no CORS headers when env var is unset

None.

Closes #258

## Summary Adds CORSMiddleware to the FastAPI app so the frontend at `pal-e-production.tail5b443a.ts.net` can make cross-origin fetch() calls to the API without being blocked by browser CORS policy. Origins are configured via the `PALDOCS_ALLOWED_ORIGINS` env var (comma-separated). ## Changes - `src/pal_e_docs/config.py` — Added `allowed_origins: str = ""` to Settings (env var: `PALDOCS_ALLOWED_ORIGINS`) - `src/pal_e_docs/main.py` — Import `CORSMiddleware` from starlette and conditionally add it when origins are configured. Allows GET/POST/PUT/PATCH/DELETE/OPTIONS methods, all headers, no credentials. ## Test Plan - Deploy with `PALDOCS_ALLOWED_ORIGINS=https://pal-e-production.tail5b443a.ts.net` set in the environment - From the frontend, make a fetch() call to the API and verify no CORS error in browser console - Verify OPTIONS preflight returns correct `Access-Control-Allow-Origin` header - Verify that requests from unlisted origins are still blocked - With `PALDOCS_ALLOWED_ORIGINS` unset/empty, verify no CORS headers are added (backward compatible) ## Review Checklist - [x] ruff check and ruff format pass - [x] No new dependencies required (starlette ships with FastAPI) - [x] No wildcard `*` default origin — origins must be explicitly configured - [x] Backward compatible — empty default means no CORS headers when env var is unset ## Related Notes None. ## Related Closes #258

forgejo_admin added 1 commit

2026-04-12 15:47:46 +00:00

fix: add CORS middleware for cross-origin frontend access 8a77c192ba

Closes #258

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-04-12 15:48:00 +00:00

Author

Contributor

Self-review: LGTM. Minimal, correctly scoped change. No issues found.

Config field uses empty string default (no wildcard exposure)
Middleware only added when origins are explicitly configured
Import from starlette (no new dependency)
ruff check + format pass

Self-review: LGTM. Minimal, correctly scoped change. No issues found. - Config field uses empty string default (no wildcard exposure) - Middleware only added when origins are explicitly configured - Import from starlette (no new dependency) - ruff check + format pass