Nautilus/ledgerdock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Stabilize API routing, CORS, and settings save behavior

Browse Source
This commit is contained in:
Beda Schmid
2026-03-01 14:27:19 -03:00
parent 3d280396ae
commit c5423fc9c3
7 changed files with 43 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
doc/operations-and-configuration.md
View File

@@ -116,9 +116,8 @@ Frontend runtime API target:
- `VITE_API_BASE` in `docker-compose.yml` frontend service (optional override)
- `VITE_API_TOKEN` in `docker-compose.yml` frontend service (optional compatibility fallback only)
When `VITE_API_BASE` is unset, frontend API helpers call relative `/api/v1` paths and the Vite dev server proxy forwards requests to `VITE_DEV_PROXY_TARGET` (defaults to `http://api:8000` in docker-compose).
This avoids browser cross-origin/CORS failures for LAN-hosted development.
When `VITE_API_BASE` is unset, frontend API helpers resolve to:
- `http://<current-frontend-hostname>:8000/api/v1`
Frontend API authentication behavior:
- `frontend/src/lib/api.ts` resolves bearer tokens at request time in this order:
@@ -167,13 +166,14 @@ Retention settings are used by worker cleanup and by `POST /api/v1/processing/lo
- `documents` endpoints: user token or admin token
- `settings` and `processing/logs` endpoints: admin token only
- Development environments can allow tokenless user-role access for document/search routes via `ALLOW_DEVELOPMENT_ANONYMOUS_USER_ACCESS=true`; production remains token-enforced.
- Development CORS allows localhost and RFC1918 private-network origins via regex in addition to explicit `CORS_ORIGINS`, so LAN-hosted frontend access remains functional.
- CORS allows HTTP and HTTPS origins by regex in addition to explicit `CORS_ORIGINS`, so LAN and public-domain frontend origins are accepted.
- Authentication fails closed when `ADMIN_API_TOKEN` is not configured and admin access is requested.
- Document preview endpoint blocks inline rendering for script-capable MIME types and forces attachment responses for active content.
- Provider base URLs are validated on settings updates and before outbound model calls:
- allowlist enforcement (`PROVIDER_BASE_URL_ALLOWLIST`)
- scheme restrictions (`https` by default)
- local/private-network blocking and per-request DNS revalidation checks for outbound runtime calls, including OCR provider path
- optional allowlist enforcement (`PROVIDER_BASE_URL_ALLOWLIST`)
- optional scheme restrictions (`PROVIDER_BASE_URL_ALLOW_HTTP`)
- optional private-network restrictions (`PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK`)
- per-request DNS revalidation checks for outbound runtime calls, including OCR provider path
- Upload and archive safety guards are enforced:
- `POST /api/v1/documents/upload` requires `Content-Length` and enforces file-count, per-file size, and total request size limits
- `OPTIONS /api/v1/documents/upload` CORS preflight is excluded from `Content-Length` enforcement