fix: reorder CORS middleware before rate limiter to fix OPTIONS preflight

This commit is contained in:
Daniel Bedeleanu
2026-04-11 14:38:43 +03:00
parent 356dfa32f1
commit c949bcd211

View File

@@ -15,10 +15,6 @@ log.info("Database tables verified.")
app = FastAPI(title="TFM aInventory API", version="1.1.0")
log.info("TFM aInventory API process started.")
# [H-02] Rate limiting on API
limiter = Limiter(key_func=get_remote_address)
app.state.limiter = limiter
# [SECURITY FIX M-01] CORS: allow_origins=["*"] + allow_credentials=True is invalid per spec.
# Allowed origins are configured via ALLOWED_ORIGINS environment variable (comma-separated).
# Secure fallback: localhost only for development.
@@ -29,6 +25,7 @@ _raw_origins = os.environ.get(
ALLOWED_ORIGINS = [o.strip() for o in _raw_origins.split(",") if o.strip()]
log.info(f"CORS allowed origins: {ALLOWED_ORIGINS}")
# Add CORS middleware FIRST (before rate limiter)
app.add_middleware(
CORSMiddleware,
allow_origins=ALLOWED_ORIGINS,
@@ -37,6 +34,10 @@ app.add_middleware(
allow_headers=["*"],
)
# [H-02] Rate limiting on API
limiter = Limiter(key_func=get_remote_address)
app.state.limiter = limiter
app.include_router(items.router)
app.include_router(operations.router)
app.include_router(users.router)