Fringg 77456efb75 fix: add X-CSRF-Token and X-Telegram-Init-Data to CORS allow_headers ...

The security hardening commit changed allow_headers from ['*'] to
['Authorization', 'Content-Type'], but the frontend sends X-CSRF-Token
on all POST/PUT/DELETE/PATCH requests and X-Telegram-Init-Data on all
requests. The missing headers caused preflight OPTIONS requests to fail
with 400 "Disallowed CORS origin".

2026-03-07 04:30:29 +03:00

..

background

fix: complete datetime.utcnow() → datetime.now(UTC) migration

2026-02-17 04:45:40 +03:00

routes

fix: промокоды — конвертация триалов, race condition, savepoints

2026-03-06 01:33:18 +03:00

schemas

feat: blocked user detection during broadcasts, filter blocked from all notifications

2026-02-17 18:37:25 +03:00

__init__.py

chore: add uv package manager and ruff linter configuration

2026-01-24 17:45:27 +03:00

app.py

fix: add X-CSRF-Token and X-Telegram-Init-Data to CORS allow_headers

2026-03-07 04:30:29 +03:00

dependencies.py

chore: add uv package manager and ruff linter configuration

2026-01-24 17:45:27 +03:00

docs.py

chore: add uv package manager and ruff linter configuration

2026-01-24 17:45:27 +03:00

middleware.py

fix: use sync context manager for structlog bound_contextvars

2026-02-16 09:23:22 +03:00

server.py

refactor: complete structlog migration with contextvars, kwargs, and logging hardening

2026-02-16 09:18:12 +03:00