fix: add CORS preflight handler and ACAO header for embed config endpoint

The GET /public/embed/config/{token} endpoint is fetched by external websites (third-party embed sites). The global CORSMiddleware only covers first-party origins, so external origins received no Access-Control-Allow- Origin header, causing browser preflight failures. Add an OPTIONS /config/{token} handler that validates the origin against the token's allowed_domains list and returns the appropriate CORS headers. Also inject Access-Control-Allow-Origin into the GET response via FastAPI's response parameter so the actual request succeeds cross-origin. Closes #383
2026-06-22 08:38:13 +02:00 · 2026-06-02 08:43:33 -07:00 · 2026-06-02 08:43:33 -07:00 · 230ed1846e
commit 230ed1846e
parent acc2ef9e96
2 changed files with 118 additions and 1 deletions
--- a/api/routes/public_embed.py
+++ b/api/routes/public_embed.py
@ -204,8 +204,35 @@ async def initialize_embed_session(request: Request, init_request: InitEmbedRequ
    )


+@router.options("/config/{token}")
+async def options_embed_config(token: str, request: Request):
+    """Handle CORS preflight for the embed config endpoint.
+
+    External sites fetch /config/{token} before calling Start Voice Call.
+    The global CORSMiddleware only covers first-party origins, so we handle
+    CORS explicitly here, gating on the token's allowed_domains list.
+    """
+    origin = request.headers.get("origin", "")
+
+    embed_token = await db_client.get_embed_token_by_token(token)
+    if not embed_token or not embed_token.is_active:
+        return Response(status_code=403)
+
+    if not validate_origin(origin, embed_token.allowed_domains or []):
+        return Response(status_code=403)
+
+    return Response(
+        headers={
+            "Access-Control-Allow-Origin": origin,
+            "Access-Control-Allow-Methods": "GET, OPTIONS",
+            "Access-Control-Allow-Headers": "Content-Type, Origin",
+            "Access-Control-Max-Age": "86400",
+        }
+    )
+
+
@router.get("/config/{token}", response_model=EmbedConfigResponse)
-async def get_embed_config(token: str, request: Request):
+async def get_embed_config(token: str, request: Request, response: Response):
    """Get embed configuration without creating a session.

    This endpoint is used to fetch widget configuration for display purposes
@ -226,6 +253,11 @@ async def get_embed_config(token: str, request: Request):
    if not validate_origin(origin, embed_token.allowed_domains or []):
        raise HTTPException(status_code=403, detail=f"Domain not allowed: {origin}")

+    # Set CORS header explicitly — the global CORSMiddleware covers only
+    # first-party origins; this endpoint is fetched by external embed sites.
+    if origin:
+        response.headers["Access-Control-Allow-Origin"] = origin
+
    # Extract settings with defaults
    settings = embed_token.settings or {}