fix: handle CORS preflight OPTIONS requests before routing

This commit is contained in:
2026-04-21 18:17:00 +03:00
parent 87f3b53d53
commit 770b02864d

View File

@@ -130,16 +130,7 @@ class SubnetAwareCORSMiddleware(BaseHTTPMiddleware):
async def dispatch(self, request: Request, call_next) -> Response:
origin = request.headers.get("origin")
# Check if origin is allowed
if origin and is_origin_allowed(origin):
response = await call_next(request)
response.headers["Access-Control-Allow-Origin"] = origin
response.headers["Access-Control-Allow-Credentials"] = "true"
response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
response.headers["Access-Control-Allow-Headers"] = "*"
return response
# Handle CORS preflight requests
# Handle CORS preflight (OPTIONS) requests FIRST
if request.method == "OPTIONS":
if origin and is_origin_allowed(origin):
return Response(
@@ -149,11 +140,22 @@ class SubnetAwareCORSMiddleware(BaseHTTPMiddleware):
"Access-Control-Allow-Credentials": "true",
"Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
"Access-Control-Allow-Headers": "*",
"Content-Length": "0",
}
)
return Response(status_code=403)
return await call_next(request)
# Process the actual request
response = await call_next(request)
# Add CORS headers to response if origin is allowed
if origin and is_origin_allowed(origin):
response.headers["Access-Control-Allow-Origin"] = origin
response.headers["Access-Control-Allow-Credentials"] = "true"
response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
response.headers["Access-Control-Allow-Headers"] = "*"
return response
app.add_middleware(SubnetAwareCORSMiddleware)
log.info("🔒 [CORS] Subnet-aware middleware enabled (exact origins + subnet matching)")