LLM/DocsGPT
1
0
Fork 0
mirror of https://github.com/arc53/DocsGPT.git synced 2026-05-06 16:25:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: mini cors hardening

Browse Source
This commit is contained in:
Alex
2026-04-23 11:58:20 +01:00
parent 5c07f5f340
commit 107eb56b1d
2 changed files with 33 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
application/app.py
View File

@@ -4,7 +4,7 @@ import platform
import uuid
import dotenv
from flask import Flask, jsonify, redirect, request
from flask import Flask, Response, jsonify, redirect, request
from jose import jwt
from application.auth import handle_auth
@@ -148,5 +148,14 @@ def authenticate_request():
request.decoded_token = decoded_token
@app.after_request
def after_request(response: Response) -> Response:
"""Add CORS headers for the pure Flask development entrypoint."""
response.headers["Access-Control-Allow-Origin"] = "*"
response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization"
response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS"
return response
if __name__ == "__main__":
app.run(debug=settings.FLASK_DEBUG_MODE, port=7091)

26
tests/test_app_routes.py
View File

@@ -105,6 +105,26 @@ class TestAuthenticateRequest:
assert response.status_code == 200
# CORS is handled at the Starlette layer (application/asgi.py) so that
# both the Flask mount and the /mcp mount get consistent headers. See
# tests/test_asgi.py for the replacement coverage.
class TestFlaskCors:
@pytest.mark.unit
def test_cors_headers_on_flask_route(self, client):
response = client.get("/api/health", headers={"Origin": "http://localhost:5173"})
assert response.headers["Access-Control-Allow-Origin"] == "*"
assert response.headers["Access-Control-Allow-Headers"] == "Content-Type, Authorization"
assert response.headers["Access-Control-Allow-Methods"] == "GET, POST, PUT, DELETE, OPTIONS"
@pytest.mark.unit
def test_cors_headers_on_flask_preflight(self, client):
response = client.options(
"/api/health",
headers={
"Origin": "http://localhost:5173",
"Access-Control-Request-Method": "GET",
"Access-Control-Request-Headers": "Content-Type",
},
)
assert response.status_code == 200
assert response.headers["Access-Control-Allow-Origin"] == "*"
assert response.headers["Access-Control-Allow-Headers"] == "Content-Type, Authorization"
assert response.headers["Access-Control-Allow-Methods"] == "GET, POST, PUT, DELETE, OPTIONS"