Nautilus/ledgerdock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Allow private-network CORS origins in development"

Browse Source 
This reverts commit 1b2e0cb8af.
This commit is contained in:
Beda Schmid
2026-03-01 17:12:06 -03:00
parent 1b2e0cb8af
commit bfc89fe5ce
7 changed files with 1 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
backend/app/main.py
View File

@@ -19,15 +19,6 @@ from app.services.typesense_index import ensure_typesense_collection
settings = get_settings()
UPLOAD_ENDPOINT_PATH = "/api/v1/documents/upload"
UPLOAD_ENDPOINT_METHOD = "POST"
CORS_DEVELOPMENT_PRIVATE_ORIGIN_REGEX = (
r"^https?://("
r"localhost"
r"|127\.0\.0\.1"
r"|10\.\d{1,3}\.\d{1,3}\.\d{1,3}"
r"|192\.168\.\d{1,3}\.\d{1,3}"
r"|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}"
r")(?::\d{1,5})?$"
)
def _is_upload_size_guard_target(request: Request) -> bool:
@@ -40,28 +31,14 @@ def _is_upload_size_guard_target(request: Request) -> bool:
return request.method.upper() == UPLOAD_ENDPOINT_METHOD and request.url.path == UPLOAD_ENDPOINT_PATH
def _resolve_cors_origin_regex() -> str | None:
"""Returns development-only private-network origin regex when explicitly enabled."""
app_env = settings.app_env.strip().lower()
if app_env not in {"development", "dev"}:
return None
allow_private_dev_origins = bool(getattr(settings, "cors_allow_development_private_network_origins", False))
if not allow_private_dev_origins:
return None
return CORS_DEVELOPMENT_PRIVATE_ORIGIN_REGEX
def create_app() -> FastAPI:
"""Builds and configures the FastAPI application instance."""
app = FastAPI(title="DCM DMS API", version="0.1.0")
allowed_origins = [origin.strip() for origin in settings.cors_origins if isinstance(origin, str) and origin.strip()]
allowed_origin_regex = _resolve_cors_origin_regex()
app.add_middleware(
CORSMiddleware,
allow_origins=allowed_origins,
allow_origin_regex=allowed_origin_regex,
allow_credentials=bool(getattr(settings, "cors_allow_credentials", False)),
allow_methods=["*"],
allow_headers=["*"],