The application defines a helper property settings.cors_origins that parses the comma-separated ALLOWED_ORIGINS configuration into a list of origins. However, the FastAPI CORSMiddleware is currently configured with the raw settings.ALLOWED_ORIGINS string instead of the parsed list.
As a result, the middleware may not receive the expected data type for allow_origins, potentially causing incorrect origin matching or CORS failures during frontend integration.
Steps to Reproduce
Configure multiple origins in ALLOWED_ORIGINS, for example:
http://localhost:5173,http://localhost:5174,http://localhost:3000
Start the backend.
Send requests from one of the configured frontend origins.
Observe the CORS behavior.
Current Behavior
CORSMiddleware is configured using:
allow_origins=settings.ALLOWED_ORIGINS
which passes the raw comma-separated string.
Expected Behavior
CORSMiddleware should use the parsed helper:
allow_origins=settings.cors_origins
so it receives a list of origins.
Suggested Fix
Update the middleware configuration in backend/app/main.py:
allow_origins=settings.cors_origins
Impact
Using the parsed helper ensures the middleware receives the correct data type, improves configuration consistency, and prevents potential CORS issues when multiple frontend origins are configured.
The application defines a helper property settings.cors_origins that parses the comma-separated ALLOWED_ORIGINS configuration into a list of origins. However, the FastAPI CORSMiddleware is currently configured with the raw settings.ALLOWED_ORIGINS string instead of the parsed list.
As a result, the middleware may not receive the expected data type for allow_origins, potentially causing incorrect origin matching or CORS failures during frontend integration.
Steps to Reproduce
Configure multiple origins in ALLOWED_ORIGINS, for example:
http://localhost:5173,http://localhost:5174,http://localhost:3000
Start the backend.
Send requests from one of the configured frontend origins.
Observe the CORS behavior.
Current Behavior
CORSMiddleware is configured using:
allow_origins=settings.ALLOWED_ORIGINS
which passes the raw comma-separated string.
Expected Behavior
CORSMiddleware should use the parsed helper:
allow_origins=settings.cors_origins
so it receives a list of origins.
Suggested Fix
Update the middleware configuration in backend/app/main.py:
allow_origins=settings.cors_origins
Impact
Using the parsed helper ensures the middleware receives the correct data type, improves configuration consistency, and prevents potential CORS issues when multiple frontend origins are configured.