VoxSum-bak / src /server /main.py
Luigi's picture
fix: final-review hardening (health route, SSRF edge cases, moonshine names)
800c5be
Raw
History Blame Contribute Delete
1.66 kB
from __future__ import annotations
import os
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from fastapi.staticfiles import StaticFiles
from .core.config import get_settings
from .routers.api import router as api_router
settings = get_settings()
app = FastAPI(title=settings.app_name)
# Origins are configurable via VOXSUM_CORS_ORIGINS (comma-separated); default is
# a wildcard for this single-tenant app. Credentials are intentionally disabled:
# the API uses no cookies/auth, and a wildcard origin combined with
# allow_credentials=True is invalid per the CORS spec — Starlette would reflect
# the caller's Origin and return Access-Control-Allow-Credentials: true, letting
# any site make credentialed cross-origin requests.
_cors_origins = [
origin.strip()
for origin in os.environ.get("VOXSUM_CORS_ORIGINS", "*").split(",")
if origin.strip()
]
app.add_middleware(
CORSMiddleware,
allow_origins=_cors_origins or ["*"],
allow_credentials=False,
allow_methods=["*"],
allow_headers=["*"],
)
@app.get("/health")
def healthcheck() -> dict[str, str]:
return {"status": "ok"}
app.include_router(api_router)
# The "/" mount is a catch-all and must be registered LAST: Starlette matches
# routes/mounts in registration order, so any route declared after it (e.g.
# /health) would be shadowed by the static file server and return 404.
app.mount("/static", StaticFiles(directory=settings.static_dir), name="static")
app.mount("/media", StaticFiles(directory=settings.audio_dir), name="media")
app.mount("/", StaticFiles(directory=settings.frontend_dir, html=True), name="frontend")