fix: resolve CORS preflight issues and Next.js dev origin warnings
- Simplify backend CORS middleware to use standard FastAPI implementation - Keep subnet validation function for future use in route-level checks - Add Tailscale subnet pattern to Next.js allowedDevOrigins config - Both individual IPs and subnet configurations now work correctly
This commit is contained in:
@@ -120,47 +120,11 @@ def is_origin_allowed(origin: str) -> bool:
|
||||
|
||||
return False
|
||||
|
||||
# Custom CORS middleware class that supports subnets
|
||||
from starlette.middleware.cors import CORSMiddleware as StarletteCORSMiddleware
|
||||
from starlette.types import ASGIApp, Receive, Scope, Send, Message
|
||||
|
||||
class SubnetAwareCORSMiddleware(StarletteCORSMiddleware):
|
||||
def __init__(self, *args, **kwargs):
|
||||
# Keep simple origins list for backward compatibility
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
def allow_all_origins(self) -> bool:
|
||||
return False
|
||||
|
||||
def preflight_allowed_origin(self, origin: str) -> bool:
|
||||
# Check using our custom function
|
||||
return is_origin_allowed(origin)
|
||||
|
||||
async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
|
||||
# Override to use our subnet-aware checking
|
||||
if scope["type"] != "http":
|
||||
await self.app(scope, receive, send)
|
||||
return
|
||||
|
||||
method = scope["method"]
|
||||
headers = dict(scope["headers"])
|
||||
origin = headers.get(b"origin", b"").decode()
|
||||
|
||||
if self.preflight_allowed_origin(origin):
|
||||
scope["headers"] = [
|
||||
(name, value) for (name, value) in scope["headers"]
|
||||
if name.lower() != b"origin"
|
||||
]
|
||||
scope["headers"] += [
|
||||
(b"origin", origin.encode()),
|
||||
]
|
||||
|
||||
await super().__call__(scope, receive, send)
|
||||
|
||||
# Add CORS middleware FIRST (before rate limiter)
|
||||
# Use custom middleware that supports subnet validation
|
||||
# Note: Subnet validation happens during configuration (EXTRA_ALLOWED_ORIGINS)
|
||||
# The is_origin_allowed() function is available for route-level validation if needed
|
||||
app.add_middleware(
|
||||
SubnetAwareCORSMiddleware if ALLOWED_SUBNETS else CORSMiddleware,
|
||||
CORSMiddleware,
|
||||
allow_origins=ALLOWED_ORIGINS,
|
||||
allow_credentials=True,
|
||||
allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
|
||||
|
||||
@@ -14,6 +14,7 @@ const nextConfig = {
|
||||
"localhost",
|
||||
"127.0.0.1",
|
||||
"*.local",
|
||||
"100.78.182.*", // VPN/Tailscale subnet (100.78.182.0/24)
|
||||
],
|
||||
};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user