diff --git a/backend/main.py b/backend/main.py index 6009bb77..25b6cdc8 100644 --- a/backend/main.py +++ b/backend/main.py @@ -130,16 +130,7 @@ class SubnetAwareCORSMiddleware(BaseHTTPMiddleware): async def dispatch(self, request: Request, call_next) -> Response: origin = request.headers.get("origin") - # Check if origin is allowed - if origin and is_origin_allowed(origin): - response = await call_next(request) - response.headers["Access-Control-Allow-Origin"] = origin - response.headers["Access-Control-Allow-Credentials"] = "true" - response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS" - response.headers["Access-Control-Allow-Headers"] = "*" - return response - - # Handle CORS preflight requests + # Handle CORS preflight (OPTIONS) requests FIRST if request.method == "OPTIONS": if origin and is_origin_allowed(origin): return Response( @@ -149,11 +140,22 @@ class SubnetAwareCORSMiddleware(BaseHTTPMiddleware): "Access-Control-Allow-Credentials": "true", "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS", "Access-Control-Allow-Headers": "*", + "Content-Length": "0", } ) return Response(status_code=403) - return await call_next(request) + # Process the actual request + response = await call_next(request) + + # Add CORS headers to response if origin is allowed + if origin and is_origin_allowed(origin): + response.headers["Access-Control-Allow-Origin"] = origin + response.headers["Access-Control-Allow-Credentials"] = "true" + response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS" + response.headers["Access-Control-Allow-Headers"] = "*" + + return response app.add_middleware(SubnetAwareCORSMiddleware) log.info("🔒 [CORS] Subnet-aware middleware enabled (exact origins + subnet matching)")