Skip to content

CORS middleware uses raw ALLOWED_ORIGINS string instead of parsed cors_origins list #228

Description

@Jaykolate

The application defines a helper property settings.cors_origins that parses the comma-separated ALLOWED_ORIGINS configuration into a list of origins. However, the FastAPI CORSMiddleware is currently configured with the raw settings.ALLOWED_ORIGINS string instead of the parsed list.

As a result, the middleware may not receive the expected data type for allow_origins, potentially causing incorrect origin matching or CORS failures during frontend integration.

Steps to Reproduce

Configure multiple origins in ALLOWED_ORIGINS, for example:
http://localhost:5173,http://localhost:5174,http://localhost:3000
Start the backend.
Send requests from one of the configured frontend origins.
Observe the CORS behavior.

Current Behavior

CORSMiddleware is configured using:

allow_origins=settings.ALLOWED_ORIGINS

which passes the raw comma-separated string.

Expected Behavior

CORSMiddleware should use the parsed helper:

allow_origins=settings.cors_origins

so it receives a list of origins.

Suggested Fix

Update the middleware configuration in backend/app/main.py:

allow_origins=settings.cors_origins

Impact

Using the parsed helper ensures the middleware receives the correct data type, improves configuration consistency, and prevents potential CORS issues when multiple frontend origins are configured.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions