fix: handle CORS preflight OPTIONS requests before routing
This commit is contained in:
@@ -130,16 +130,7 @@ class SubnetAwareCORSMiddleware(BaseHTTPMiddleware):
|
||||
async def dispatch(self, request: Request, call_next) -> Response:
|
||||
origin = request.headers.get("origin")
|
||||
|
||||
# Check if origin is allowed
|
||||
if origin and is_origin_allowed(origin):
|
||||
response = await call_next(request)
|
||||
response.headers["Access-Control-Allow-Origin"] = origin
|
||||
response.headers["Access-Control-Allow-Credentials"] = "true"
|
||||
response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
|
||||
response.headers["Access-Control-Allow-Headers"] = "*"
|
||||
return response
|
||||
|
||||
# Handle CORS preflight requests
|
||||
# Handle CORS preflight (OPTIONS) requests FIRST
|
||||
if request.method == "OPTIONS":
|
||||
if origin and is_origin_allowed(origin):
|
||||
return Response(
|
||||
@@ -149,11 +140,22 @@ class SubnetAwareCORSMiddleware(BaseHTTPMiddleware):
|
||||
"Access-Control-Allow-Credentials": "true",
|
||||
"Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
|
||||
"Access-Control-Allow-Headers": "*",
|
||||
"Content-Length": "0",
|
||||
}
|
||||
)
|
||||
return Response(status_code=403)
|
||||
|
||||
return await call_next(request)
|
||||
# Process the actual request
|
||||
response = await call_next(request)
|
||||
|
||||
# Add CORS headers to response if origin is allowed
|
||||
if origin and is_origin_allowed(origin):
|
||||
response.headers["Access-Control-Allow-Origin"] = origin
|
||||
response.headers["Access-Control-Allow-Credentials"] = "true"
|
||||
response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
|
||||
response.headers["Access-Control-Allow-Headers"] = "*"
|
||||
|
||||
return response
|
||||
|
||||
app.add_middleware(SubnetAwareCORSMiddleware)
|
||||
log.info("🔒 [CORS] Subnet-aware middleware enabled (exact origins + subnet matching)")
|
||||
|
||||
Reference in New Issue
Block a user