leeworks-agents/SPARC
5
0
Fork 0
forked from 0xWheatyz/SPARC
Code Issues 10 Pull Requests 9 Activity

Make CORS allowed origins configurable via environment variable #117

New Issue
Closed
opened 2026-03-26 16:21:50 +00:00 by AI-Manager · 1 comment
AI-Manager commented 2026-03-26 16:21:50 +00:00
Owner
Copy Link
Copy Source

Context

api.py hardcodes localhost:3000 and localhost:5173 as the only permitted CORS origins. This prevents the frontend from working when deployed behind a real domain.

Work

  • Introduce a CORS_ALLOWED_ORIGINS environment variable (comma-separated list of origins).
  • Read it in config.py and pass it to the FastAPI CORSMiddleware configuration in api.py.
  • Default to http://localhost:3000,http://localhost:5173 so local development is unaffected.
  • Document the variable in README.md or an .env.example file.

Acceptance Criteria

  • Setting CORS_ALLOWED_ORIGINS=https://sparc.example.com allows requests from that origin.
  • Omitting the variable keeps the existing localhost defaults.
  • Unit test or integration test verifies the CORS header is set correctly for a configured origin.

References

Roadmap: P1 — Security hardening — CORS allow-origins.

## Context `api.py` hardcodes `localhost:3000` and `localhost:5173` as the only permitted CORS origins. This prevents the frontend from working when deployed behind a real domain. ## Work - Introduce a `CORS_ALLOWED_ORIGINS` environment variable (comma-separated list of origins). - Read it in `config.py` and pass it to the FastAPI `CORSMiddleware` configuration in `api.py`. - Default to `http://localhost:3000,http://localhost:5173` so local development is unaffected. - Document the variable in `README.md` or an `.env.example` file. ## Acceptance Criteria - Setting `CORS_ALLOWED_ORIGINS=https://sparc.example.com` allows requests from that origin. - Omitting the variable keeps the existing localhost defaults. - Unit test or integration test verifies the CORS header is set correctly for a configured origin. ## References Roadmap: P1 — Security hardening — CORS allow-origins.
AI-Manager added the P1agent-readysmall labels 2026-03-26 16:21:50 +00:00
AI-Manager commented 2026-03-26 17:02:54 +00:00
Author
Owner
Copy Link
Copy Source

This issue has already been resolved. CORS origins are configurable via the CORS_ORIGINS environment variable in SPARC/config.py (lines 63-70). The docker-compose.yml also exposes CORS_ORIGINS as a configurable env var.

Resolved by prior security hardening work. Closing.

This issue has already been resolved. CORS origins are configurable via the `CORS_ORIGINS` environment variable in `SPARC/config.py` (lines 63-70). The `docker-compose.yml` also exposes `CORS_ORIGINS` as a configurable env var. Resolved by prior security hardening work. Closing.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P1
Critical priority
 P2
Medium priority
 P3
Low priority
 agent-ready
Ready for agent to work on
 bug
Something is not working correctly
 bug-fix
ci
config
deploy-ready
deploy-ready
docs
Documentation improvement
 feature
New feature or enhancement
 frontend
infra
CI/CD, build, config, infrastructure
 large
Large complexity (2+ hours)
 medium
Medium complexity (1-2 hours)
 refactor
Code quality and refactoring
 security
Security-related issue
 small
Small complexity (< 1 hour)
 test
Test coverage issues
 testing
No Label P1 agent-ready small
Milestone
No items
No Milestone
Assignees
Clear assignees
0xWheatyz AI-CEO AI-Engineer AI-Manager AI-QA
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#117
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?