Spaces:
Running
Running
Commit Β·
0cded53
1
Parent(s): 23eb242
fix(cors): restrict CORS origins via ALLOWED_ORIGINS env var
Browse files- Added ENVIRONMENT and ALLOWED_ORIGINS fields to Settings in config.py
- Added cors_origins property: returns ['*'] in dev, parsed list in prod
- Updated CORSMiddleware in main.py to use settings.cors_origins
- Added startup log showing active CORS origins
- Updated .env.example with ENVIRONMENT and ALLOWED_ORIGINS entries
Closes #65
- .env.example +6 -0
- backend/app/config.py +9 -0
- backend/app/main.py +2 -1
.env.example
CHANGED
|
@@ -2,6 +2,12 @@
|
|
| 2 |
SECRET_KEY=change-me-in-production
|
| 3 |
DATABASE_URL=sqlite:///./data/app.db
|
| 4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
# ββ HuggingFace (Required for LLM) ββββββββββββββββββ
|
| 6 |
HF_TOKEN=your_huggingface_token_here
|
| 7 |
|
|
|
|
| 2 |
SECRET_KEY=change-me-in-production
|
| 3 |
DATABASE_URL=sqlite:///./data/app.db
|
| 4 |
|
| 5 |
+
# ββ Environment & CORS ββββββββββββββββββββββββββββββ
|
| 6 |
+
ENVIRONMENT=development
|
| 7 |
+
# In production, set ENVIRONMENT=production and list your allowed origins:
|
| 8 |
+
# ALLOWED_ORIGINS=https://yourapp.com,https://www.yourapp.com
|
| 9 |
+
ALLOWED_ORIGINS=http://localhost:3000,http://localhost:7860
|
| 10 |
+
|
| 11 |
# ββ HuggingFace (Required for LLM) ββββββββββββββββββ
|
| 12 |
HF_TOKEN=your_huggingface_token_here
|
| 13 |
|
backend/app/config.py
CHANGED
|
@@ -12,6 +12,8 @@ class Settings(BaseSettings):
|
|
| 12 |
APP_NAME: str = "Document AI Analyst"
|
| 13 |
SECRET_KEY: str = "change-me-in-production-please"
|
| 14 |
DEBUG: bool = False
|
|
|
|
|
|
|
| 15 |
|
| 16 |
# ββ Database βββββββββββββββββββββββββββββββββββββββββ
|
| 17 |
DATABASE_URL: str = "sqlite:///./data/app.db"
|
|
@@ -47,6 +49,13 @@ class Settings(BaseSettings):
|
|
| 47 |
# ββ Reranker βββββββββββββββββββββββββββββββββββββββββ
|
| 48 |
RERANKER_MODEL: str = "cross-encoder/ms-marco-MiniLM-L-6-v2"
|
| 49 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50 |
class Config:
|
| 51 |
env_file = ".env"
|
| 52 |
env_file_encoding = "utf-8"
|
|
|
|
| 12 |
APP_NAME: str = "Document AI Analyst"
|
| 13 |
SECRET_KEY: str = "change-me-in-production-please"
|
| 14 |
DEBUG: bool = False
|
| 15 |
+
ENVIRONMENT: str = "development"
|
| 16 |
+
ALLOWED_ORIGINS: str = "http://localhost:3000,http://localhost:7860"
|
| 17 |
|
| 18 |
# ββ Database βββββββββββββββββββββββββββββββββββββββββ
|
| 19 |
DATABASE_URL: str = "sqlite:///./data/app.db"
|
|
|
|
| 49 |
# ββ Reranker βββββββββββββββββββββββββββββββββββββββββ
|
| 50 |
RERANKER_MODEL: str = "cross-encoder/ms-marco-MiniLM-L-6-v2"
|
| 51 |
|
| 52 |
+
|
| 53 |
+
@property
|
| 54 |
+
def cors_origins(self) -> list[str]:
|
| 55 |
+
if self.ENVIRONMENT == "production":
|
| 56 |
+
return [o.strip() for o in self.ALLOWED_ORIGINS.split(",")]
|
| 57 |
+
return ["*"]
|
| 58 |
+
|
| 59 |
class Config:
|
| 60 |
env_file = ".env"
|
| 61 |
env_file_encoding = "utf-8"
|
backend/app/main.py
CHANGED
|
@@ -63,11 +63,12 @@ app = FastAPI(
|
|
| 63 |
# ββ CORS (allow frontend dev server) βββββββββββββββββ
|
| 64 |
app.add_middleware(
|
| 65 |
CORSMiddleware,
|
| 66 |
-
allow_origins=
|
| 67 |
allow_credentials=True,
|
| 68 |
allow_methods=["*"],
|
| 69 |
allow_headers=["*"],
|
| 70 |
)
|
|
|
|
| 71 |
|
| 72 |
# ββ Mount API Routes βββββββββββββββββββββββββββββββββ
|
| 73 |
from app.routes.auth import router as auth_router
|
|
|
|
| 63 |
# ββ CORS (allow frontend dev server) βββββββββββββββββ
|
| 64 |
app.add_middleware(
|
| 65 |
CORSMiddleware,
|
| 66 |
+
allow_origins=settings.cors_origins,
|
| 67 |
allow_credentials=True,
|
| 68 |
allow_methods=["*"],
|
| 69 |
allow_headers=["*"],
|
| 70 |
)
|
| 71 |
+
logger.info(f"CORS origins: {settings.cors_origins}")
|
| 72 |
|
| 73 |
# ββ Mount API Routes βββββββββββββββββββββββββββββββββ
|
| 74 |
from app.routes.auth import router as auth_router
|