From c949bcd211da78f140a28ad5cd6f811f5e0b9e0f Mon Sep 17 00:00:00 2001 From: Daniel Bedeleanu Date: Sat, 11 Apr 2026 14:38:43 +0300 Subject: [PATCH] fix: reorder CORS middleware before rate limiter to fix OPTIONS preflight --- backend/main.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/backend/main.py b/backend/main.py index e01ab96c..a62e8492 100644 --- a/backend/main.py +++ b/backend/main.py @@ -15,10 +15,6 @@ log.info("Database tables verified.") app = FastAPI(title="TFM aInventory API", version="1.1.0") log.info("TFM aInventory API process started.") -# [H-02] Rate limiting on API -limiter = Limiter(key_func=get_remote_address) -app.state.limiter = limiter - # [SECURITY FIX M-01] CORS: allow_origins=["*"] + allow_credentials=True is invalid per spec. # Allowed origins are configured via ALLOWED_ORIGINS environment variable (comma-separated). # Secure fallback: localhost only for development. @@ -29,6 +25,7 @@ _raw_origins = os.environ.get( ALLOWED_ORIGINS = [o.strip() for o in _raw_origins.split(",") if o.strip()] log.info(f"CORS allowed origins: {ALLOWED_ORIGINS}") +# Add CORS middleware FIRST (before rate limiter) app.add_middleware( CORSMiddleware, allow_origins=ALLOWED_ORIGINS, @@ -37,6 +34,10 @@ app.add_middleware( allow_headers=["*"], ) +# [H-02] Rate limiting on API +limiter = Limiter(key_func=get_remote_address) +app.state.limiter = limiter + app.include_router(items.router) app.include_router(operations.router) app.include_router(users.router)