lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add environment-driven CORS settings and backend regression tests

Browse Source
This commit is contained in:
Lukas
2026-04-06 20:42:33 +02:00
parent 89ab41cc9e
commit 1a7096b276
5 changed files with 74 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/.env.example
View File

@@ -20,3 +20,7 @@ BANGUI_TIMEZONE=UTC
# Application log level: debug | info | warning | error | critical
BANGUI_LOG_LEVEL=info
# Comma-separated list of allowed CORS origins when the frontend is served
# from a different origin than the backend.
BANGUI_CORS_ALLOWED_ORIGINS=http://localhost:5173

8
backend/app/config.py
View File

@@ -41,6 +41,14 @@ class Settings(BaseSettings):
default="UTC",
description="IANA timezone name used when displaying timestamps in the UI.",
)
cors_allowed_origins: list[str] = Field(
default_factory=lambda: ["http://localhost:5173"],
description=(
"Comma-separated list of allowed CORS origins when the frontend is "
"served from a different origin than the backend. "
"Leave empty to disable cross-origin requests in production."
),
)
log_level: str = Field(
default="info",
description="Application log level: debug | info | warning | error | critical.",

20
backend/app/main.py
View File

@@ -345,15 +345,17 @@ def create_app(settings: Settings | None = None) -> FastAPI:
set_setup_complete_cache(app, False)
# --- CORS ---
# In production the frontend is served by the same origin.
# CORS is intentionally permissive only in development.
app.add_middleware(
CORSMiddleware,
allow_origins=["http://localhost:5173"], # Vite dev server
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
# Allow origins configured by the runtime environment. In production,
# this should be explicitly set to the frontend origin(s) or left empty
# when the UI is served from the same origin as the API.
if resolved_settings.cors_allowed_origins:
app.add_middleware(
CORSMiddleware,
allow_origins=resolved_settings.cors_allowed_origins,
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
# --- Middleware ---
# Note: middleware is applied in reverse order of registration.

50
backend/tests/test_main.py Normal file
View File

@@ -0,0 +1,50 @@
"""Unit tests for backend application startup and middleware configuration."""
from app.config import Settings
from app.main import CORSMiddleware, create_app
def test_create_app_configures_cors_from_settings() -> None:
"""The FastAPI app registers CORS middleware with the configured origins."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
session_duration_minutes=60,
timezone="UTC",
log_level="debug",
cors_allowed_origins=["https://frontend.example.com"],
)
app = create_app(settings=settings)
cors_middleware = [
middleware for middleware in app.user_middleware if middleware.cls is CORSMiddleware
]
assert len(cors_middleware) == 1
assert cors_middleware[0].kwargs["allow_origins"] == ["https://frontend.example.com"]
assert cors_middleware[0].kwargs["allow_credentials"] is True
assert cors_middleware[0].kwargs["allow_methods"] == ["*"]
assert cors_middleware[0].kwargs["allow_headers"] == ["*"]
def test_create_app_skips_cors_when_no_origins_are_configured() -> None:
"""The FastAPI app does not add CORS middleware when no origins are configured."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
session_duration_minutes=60,
timezone="UTC",
log_level="debug",
cors_allowed_origins=[],
)
app = create_app(settings=settings)
cors_middleware = [
middleware for middleware in app.user_middleware if middleware.cls is CORSMiddleware
]
assert cors_middleware == []