Harden auth and security controls with session auth and docs

backend/app/main.py

@@ -10,6 +10,7 @@ from app.api.router import api_router
 from app.core.config import get_settings
 from app.db.base import init_db
 from app.services.app_settings import ensure_app_settings
+from app.services.authentication import ensure_bootstrap_users
 from app.services.handwriting_style import ensure_handwriting_style_collection
 from app.services.storage import ensure_storage
 from app.services.typesense_index import ensure_typesense_collection
@@ -18,7 +19,6 @@ from app.services.typesense_index import ensure_typesense_collection
 settings = get_settings()
 UPLOAD_ENDPOINT_PATH = "/api/v1/documents/upload"
 UPLOAD_ENDPOINT_METHOD = "POST"
-CORS_HTTP_ORIGIN_REGEX = r"^https?://[^/]+$"
 
 
 def _is_upload_size_guard_target(request: Request) -> bool:
@@ -35,11 +35,11 @@ def create_app() -> FastAPI:
     """Builds and configures the FastAPI application instance."""
 
     app = FastAPI(title="DCM DMS API", version="0.1.0")
+    allowed_origins = [origin.strip() for origin in settings.cors_origins if isinstance(origin, str) and origin.strip()]
     app.add_middleware(
         CORSMiddleware,
-        allow_origins=settings.cors_origins,
-        allow_origin_regex=CORS_HTTP_ORIGIN_REGEX,
-        allow_credentials=True,
+        allow_origins=allowed_origins,
+        allow_credentials=bool(getattr(settings, "cors_allow_credentials", False)),
         allow_methods=["*"],
         allow_headers=["*"],
     )
@@ -82,8 +82,9 @@ def create_app() -> FastAPI:
         """Initializes storage directories and database schema on service startup."""
 
         ensure_storage()
-        ensure_app_settings()
         init_db()
+        ensure_bootstrap_users()
+        ensure_app_settings()
         try:
             ensure_typesense_collection()
         except Exception: