Deploy DataForge playground API

dataforge/release/playground_check.py

@@ -204,6 +204,12 @@ def _check_cors(
             headers={"Origin": origin},
         )
         negative, negative_latency_ms = _timed_request(
+            client,
+            "GET",
+            f"{backend_url}/api/health",
+            headers={"Origin": NEGATIVE_CORS_ORIGIN},
+        )
+        preflight, preflight_latency_ms = _timed_request(
             client,
             "OPTIONS",
             f"{backend_url}/api/health",
@@ -213,12 +219,19 @@ def _check_cors(
             },
         )
         allowed_origin = positive.headers.get("access-control-allow-origin")
-        rejected_origin = negative.headers.get("access-control-allow-origin")
-        ok = allowed_origin == origin and rejected_origin is None
+        negative_allowed_origin = negative.headers.get("access-control-allow-origin")
+        preflight_allowed_origin = preflight.headers.get("access-control-allow-origin")
+        negative_error = ""
+        try:
+            negative_error = str(negative.json().get("error", ""))
+        except ValueError:
+            negative_error = ""
+        negative_denied = negative.status_code == 403 and negative_error == "origin_not_allowed"
+        ok = allowed_origin == origin and positive.status_code == 200 and negative_denied
         detail = (
-            "CORS allows only the configured frontend origin."
+            "Configured origin is allowed and disallowed origins cannot read API data."
             if ok
-            else "CORS allowlist is incorrect."
+            else "CORS origin enforcement is incorrect."
         )
         return PlaygroundCheck(
             "cors_correct",
@@ -229,9 +242,13 @@ def _check_cors(
                 "positive_status_code": positive.status_code,
                 "negative_status_code": negative.status_code,
                 "allowed_origin": allowed_origin,
-                "negative_allowed_origin": rejected_origin,
+                "negative_allowed_origin": negative_allowed_origin,
+                "negative_error": negative_error,
+                "negative_preflight_status_code": preflight.status_code,
+                "negative_preflight_allowed_origin": preflight_allowed_origin,
                 "positive_latency_ms": round(positive_latency_ms, 2),
                 "negative_latency_ms": round(negative_latency_ms, 2),
+                "negative_preflight_latency_ms": round(preflight_latency_ms, 2),
             },
         )
     except Exception as exc:

playground/api/app.py

@@ -13,6 +13,7 @@ import asyncio
 import io
 import logging
 import os
+import re
 import tempfile
 import time
 import uuid
@@ -355,6 +356,50 @@ class FallbackRateLimitMiddleware(BaseHTTPMiddleware):
         return await call_next(request)
 
 
+class OriginGuardMiddleware(BaseHTTPMiddleware):
+    """Reject browser requests from origins outside the configured allowlist."""
+
+    def __init__(
+        self,
+        app: ASGIApp,
+        *,
+        allow_origins: list[str],
+        allow_origin_regex: str | None,
+    ) -> None:
+        super().__init__(app)
+        self._allow_origins = frozenset(allow_origins)
+        self._allow_origin_pattern = (
+            re.compile(allow_origin_regex) if allow_origin_regex is not None else None
+        )
+
+    def _allowed(self, origin: str) -> bool:
+        if origin in self._allow_origins:
+            return True
+        return bool(
+            self._allow_origin_pattern is not None
+            and self._allow_origin_pattern.fullmatch(origin)
+        )
+
+    async def dispatch(
+        self,
+        request: Request,
+        call_next: RequestResponseEndpoint,
+    ) -> Response:
+        """Deny disallowed browser origins before endpoint handlers run."""
+        origin = request.headers.get("origin")
+        if origin and not self._allowed(origin):
+            return problem_response(
+                status=403,
+                type_="https://dataforge.local/problems/origin_not_allowed",
+                title="Origin Not Allowed",
+                detail="This playground backend only accepts browser requests from configured frontend origins.",
+                instance=str(request.url.path),
+                error="origin_not_allowed",
+                request_id=_request_id(request),
+            )
+        return await call_next(request)
+
+
 if _SlowapiLimiter is not None:
     limiter: _LimiterLike = cast(
         _LimiterLike,
@@ -385,6 +430,10 @@ def _build_cors_origin_regex() -> str | None:
     return "^(" + "|".join(patterns) + ")$"
 
 
+CORS_ORIGINS = _build_cors_origins()
+CORS_ORIGIN_REGEX = _build_cors_origin_regex()
+
+
 app = FastAPI(
     title="DataForge Playground API",
     description="Stateless backend for the hosted DataForge playground.",
@@ -401,12 +450,17 @@ if not SLOWAPI_AVAILABLE:
     app.add_middleware(FallbackRateLimitMiddleware)
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=_build_cors_origins(),
-    allow_origin_regex=_build_cors_origin_regex(),
+    allow_origins=CORS_ORIGINS,
+    allow_origin_regex=CORS_ORIGIN_REGEX,
     allow_methods=["GET", "POST", "OPTIONS"],
     allow_headers=["*"],
     allow_credentials=False,
 )
+app.add_middleware(
+    OriginGuardMiddleware,
+    allow_origins=CORS_ORIGINS,
+    allow_origin_regex=CORS_ORIGIN_REGEX,
+)
 app.add_middleware(RequestContextMiddleware)
 app.state.limiter = limiter
 app.add_exception_handler(HTTPException, problem_exception_handler)
@@ -747,7 +801,7 @@ async def health() -> dict[str, Any]:
         "server_time_utc": datetime.now(UTC).isoformat(),
         "environment": _environment_name(),
         "limits": _limits_payload(),
-        "cors_configured": bool(_build_cors_origins() or _build_cors_origin_regex()),
+        "cors_configured": bool(CORS_ORIGINS or CORS_ORIGIN_REGEX),
         "otel_enabled": os.environ.get("DATAFORGE_OTEL_ENABLED", "").strip().lower()
         in OTEL_ENABLED_VALUES,
         "otel_instrumented": OTEL_INSTRUMENTED,