feat: scoped CORS config, requirements.txt and verification tests#91
Open
madsysharma wants to merge 2 commits into
Open
feat: scoped CORS config, requirements.txt and verification tests#91madsysharma wants to merge 2 commits into
madsysharma wants to merge 2 commits into
Conversation
Author
|
Hi @AditixAnand , please review this PR. Also, could you please add the "gssoc:approved" label to this? Thank you. |
Author
|
Hi @AditixAnand , please review this PR when you find the time to. Also, could you please add the "gssoc:approved" label to this? Thank you. |
Author
|
Hi @AditixAnand , please review this PR. Thank you. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #11
This feature enables CORS for the Flask backend so the frontend (served from a different origin in dev - Live Server on :5500, or
file://) can call/chat.Scope was limited to issue #11; the chat handler itself is unchanged aside from a logger nit.
Changes
backend/app.py— replaced the bareCORS(app)with a scoped config:/chatand/healthGET, POST, OPTIONS"null"forfile://); override via theCORS_ALLOWED_ORIGINSenvironment variablemax_age=86400)backend/app.py— addedGET /healthreturning{"status": "ok"}for cheap end-to-end verification (no OpenAI tokens spent).backend/requirements.txt— added (pinsflask,flask-cors,openai,python-dotenv).flask-corswas previously imported but not listed anywhere, so contributors couldn't reproduce the env from the README.backend/.env.example— added, recordsOPENAI_API_KEYandCORS_ALLOWED_ORIGINS.backend/tests/— added pytest suite covering pre-flight from allowed origin, POST with ACAO header, disallowed origin/s not getting ACAO,/healthreachability, and the 400 path. OpenAI is mocked so that tests run offline.README.md— updated setup steps to userequirements.txtand documented the verification curl commands.Verification
End-to-end, against a local run with
Origin: http://127.0.0.1:5500:GET /health->200,Access-Control-Allow-Origin: http://127.0.0.1:5500OPTIONS /chat(preflight) ->200, ACAO/ACAM/ACAH headers presentOPTIONS /chatfromhttp://evil.example.com-> no ACAO header (browser will block it, as intended)Tests pass locally:
pytest backend/tests -q-> 5 passed.Notes for review
The default origin list includes
"null"becauseindex.htmlis sometimes opened directly off disk during dev - without this, the chatbot's fetch request to/chatfails pre-flight. If that's undesirable for prod, drop it fromCORS_ALLOWED_ORIGINSin the production.env.