fix: add CORS preflight handler and ACAO header for embed config endpoint (#403)

* fix: add CORS preflight handler and ACAO header for embed config endpoint The GET /public/embed/config/{token} endpoint is fetched by external websites (third-party embed sites). The global CORSMiddleware only covers first-party origins, so external origins received no Access-Control-Allow- Origin header, causing browser preflight failures. Add an OPTIONS /config/{token} handler that validates the origin against the token's allowed_domains list and returns the appropriate CORS headers. Also inject Access-Control-Allow-Origin into the GET response via FastAPI's response parameter so the actual request succeeds cross-origin. Closes #383 * fix: complete public embed CORS handling --------- Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
2026-06-07 07:55:16 +02:00 · 2026-06-03 08:57:44 -07:00 · 2026-06-03 08:57:44 -07:00 · dace4a7efc
commit dace4a7efc
parent cdb27c1d4f
3 changed files with 466 additions and 79 deletions
--- a/api/app.py
+++ b/api/app.py
@ -117,6 +117,15 @@ app.add_middleware(
    allow_headers=["*"],
 )

+
+def _add_public_embed_cors_middleware() -> None:
+    from api.routes.public_embed import PublicEmbedCORSMiddleware
+
+    app.add_middleware(PublicEmbedCORSMiddleware, api_prefix=API_PREFIX)
+
+
+_add_public_embed_cors_middleware()
+
 api_router = APIRouter()

 # include subrouters here