lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add environment-driven CORS settings and backend regression tests

Browse Source
This commit is contained in:
Lukas
2026-04-06 20:42:33 +02:00
parent 89ab41cc9e
commit 1a7096b276
5 changed files with 74 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Docs/Tasks.md
View File

@@ -53,7 +53,7 @@ Reference: `Docs/Refactoring.md` for full analysis of each issue.
### Backend Feature Work ### Backend Feature Work
- **Document and implement backend-safe environment-driven CORS.** - **Document and implement backend-safe environment-driven CORS.**
- Add support for production and local development origins through configuration. - Add support for production and local development origins through configuration.
- Avoid a hardcoded Vite origin in the core app factory. - Avoid a hardcoded Vite origin in the core app factory.

4
backend/.env.example
View File

@@ -20,3 +20,7 @@ BANGUI_TIMEZONE=UTC
# Application log level: debug | info | warning | error | critical # Application log level: debug | info | warning | error | critical
BANGUI_LOG_LEVEL=info BANGUI_LOG_LEVEL=info
# Comma-separated list of allowed CORS origins when the frontend is served
# from a different origin than the backend.
BANGUI_CORS_ALLOWED_ORIGINS=http://localhost:5173

8
backend/app/config.py
View File

@@ -41,6 +41,14 @@ class Settings(BaseSettings):
default="UTC", default="UTC",
description="IANA timezone name used when displaying timestamps in the UI.", description="IANA timezone name used when displaying timestamps in the UI.",
) )
cors_allowed_origins: list[str] = Field(
default_factory=lambda: ["http://localhost:5173"],
description=(
"Comma-separated list of allowed CORS origins when the frontend is "
"served from a different origin than the backend. "
"Leave empty to disable cross-origin requests in production."
),
)
log_level: str = Field( log_level: str = Field(
default="info", default="info",
description="Application log level: debug | info | warning | error | critical.", description="Application log level: debug | info | warning | error | critical.",

20
backend/app/main.py
View File

@@ -345,15 +345,17 @@ def create_app(settings: Settings | None = None) -> FastAPI:
set_setup_complete_cache(app, False) set_setup_complete_cache(app, False)
# --- CORS --- # --- CORS ---
# In production the frontend is served by the same origin. # Allow origins configured by the runtime environment. In production,
# CORS is intentionally permissive only in development. # this should be explicitly set to the frontend origin(s) or left empty
app.add_middleware( # when the UI is served from the same origin as the API.
CORSMiddleware, if resolved_settings.cors_allowed_origins:
allow_origins=["http://localhost:5173"], # Vite dev server app.add_middleware(
allow_credentials=True, CORSMiddleware,
allow_methods=["*"], allow_origins=resolved_settings.cors_allowed_origins,
allow_headers=["*"], allow_credentials=True,
) allow_methods=["*"],
allow_headers=["*"],
)
# --- Middleware --- # --- Middleware ---
# Note: middleware is applied in reverse order of registration. # Note: middleware is applied in reverse order of registration.

50
backend/tests/test_main.py Normal file
View File

@@ -0,0 +1,50 @@
"""Unit tests for backend application startup and middleware configuration."""
from app.config import Settings
from app.main import CORSMiddleware, create_app
def test_create_app_configures_cors_from_settings() -> None:
"""The FastAPI app registers CORS middleware with the configured origins."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
session_duration_minutes=60,
timezone="UTC",
log_level="debug",
cors_allowed_origins=["https://frontend.example.com"],
)
app = create_app(settings=settings)
cors_middleware = [
middleware for middleware in app.user_middleware if middleware.cls is CORSMiddleware
]
assert len(cors_middleware) == 1
assert cors_middleware[0].kwargs["allow_origins"] == ["https://frontend.example.com"]
assert cors_middleware[0].kwargs["allow_credentials"] is True
assert cors_middleware[0].kwargs["allow_methods"] == ["*"]
assert cors_middleware[0].kwargs["allow_headers"] == ["*"]
def test_create_app_skips_cors_when_no_origins_are_configured() -> None:
"""The FastAPI app does not add CORS middleware when no origins are configured."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
session_duration_minutes=60,
timezone="UTC",
log_level="debug",
cors_allowed_origins=[],
)
app = create_app(settings=settings)
cors_middleware = [
middleware for middleware in app.user_middleware if middleware.cls is CORSMiddleware
]
assert cors_middleware == []