fix: resolve CORS preflight issues and Next.js dev origin warnings

- Simplify backend CORS middleware to use standard FastAPI implementation
- Keep subnet validation function for future use in route-level checks
- Add Tailscale subnet pattern to Next.js allowedDevOrigins config
- Both individual IPs and subnet configurations now work correctly
This commit is contained in:
2026-04-21 15:19:45 +03:00
parent 983d6e4bb4
commit 2078cd9ade
2 changed files with 4 additions and 39 deletions

View File

@@ -120,47 +120,11 @@ def is_origin_allowed(origin: str) -> bool:
return False
# Custom CORS middleware class that supports subnets
from starlette.middleware.cors import CORSMiddleware as StarletteCORSMiddleware
from starlette.types import ASGIApp, Receive, Scope, Send, Message
class SubnetAwareCORSMiddleware(StarletteCORSMiddleware):
def __init__(self, *args, **kwargs):
# Keep simple origins list for backward compatibility
super().__init__(*args, **kwargs)
def allow_all_origins(self) -> bool:
return False
def preflight_allowed_origin(self, origin: str) -> bool:
# Check using our custom function
return is_origin_allowed(origin)
async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
# Override to use our subnet-aware checking
if scope["type"] != "http":
await self.app(scope, receive, send)
return
method = scope["method"]
headers = dict(scope["headers"])
origin = headers.get(b"origin", b"").decode()
if self.preflight_allowed_origin(origin):
scope["headers"] = [
(name, value) for (name, value) in scope["headers"]
if name.lower() != b"origin"
]
scope["headers"] += [
(b"origin", origin.encode()),
]
await super().__call__(scope, receive, send)
# Add CORS middleware FIRST (before rate limiter)
# Use custom middleware that supports subnet validation
# Note: Subnet validation happens during configuration (EXTRA_ALLOWED_ORIGINS)
# The is_origin_allowed() function is available for route-level validation if needed
app.add_middleware(
SubnetAwareCORSMiddleware if ALLOWED_SUBNETS else CORSMiddleware,
CORSMiddleware,
allow_origins=ALLOWED_ORIGINS,
allow_credentials=True,
allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],

View File

@@ -14,6 +14,7 @@ const nextConfig = {
"localhost",
"127.0.0.1",
"*.local",
"100.78.182.*", // VPN/Tailscale subnet (100.78.182.0/24)
],
};