From 08afe20909a8239c41e93df5c26791961c3a8854 Mon Sep 17 00:00:00 2001
From: CELin <chingenlin71@gmail.com>
Date: Tue, 28 Oct 2025 11:03:01 +0100
Subject: [PATCH 1/5] feat: Enhance CORS configuration for production and
 development environments

---
 .github/workflows/google-cloudrun-docker.yml |  1 +
 backend/main.py                              | 44 +++++++++++++++++++-
 2 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/google-cloudrun-docker.yml b/.github/workflows/google-cloudrun-docker.yml
index b3a2cdd..a683d12 100644
--- a/.github/workflows/google-cloudrun-docker.yml
+++ b/.github/workflows/google-cloudrun-docker.yml
@@ -63,6 +63,7 @@ jobs:
           region: '${{ env.REGION }}'
           image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.BACKEND_SERVICE }}:${{ github.sha }}'
           env_vars: |
+            ENVIRONMENT=production
             AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
             AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
             AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
diff --git a/backend/main.py b/backend/main.py
index bdb8853..3a39714 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -1,3 +1,4 @@
+import os
 import uvicorn
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
@@ -5,14 +6,53 @@
 
 app = FastAPI()
 
+# Configure CORS origins based on environment
+# Check for production indicators
+is_production = (
+    os.getenv("ENVIRONMENT") == "production" or
+    os.getenv("GAE_APPLICATION") or  # Google App Engine
+    os.getenv("GOOGLE_CLOUD_PROJECT") or  # Google Cloud
+    os.getenv("K_SERVICE")  # Google Cloud Run
+)
+
+if is_production:
+    # Production: Only allow specific origins
+    allowed_origins = [
+        "https://querypal.virtonomy.io",  # Production frontend
+        "https://querypal-frontend-zynyyoxona-ew.a.run.app",  # Cloud Run frontend URL (pattern)
+        # Add your actual Cloud Run frontend URL when you know it
+    ]
+else:
+    # Development: Allow localhost origins
+    allowed_origins = [
+        "http://localhost:3000",
+        "http://localhost:5173",
+        "http://localhost:8080",
+        "http://127.0.0.1:3000",
+        "http://127.0.0.1:5173",
+        "http://127.0.0.1:8080",
+    ]
+
+print(f"🔧 CORS Configuration - Production mode: {is_production}")
+print(f"🌐 Allowed origins: {allowed_origins}")
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=allowed_origins,
     allow_credentials=True,
-    allow_methods=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     allow_headers=["*"],
 )
 
+@app.get("/health")
+async def health_check():
+    """Health check endpoint that also shows CORS configuration."""
+    return {
+        "status": "healthy",
+        "cors_production_mode": is_production,
+        "cors_allowed_origins": allowed_origins
+    }
+
 app.include_router(query.router, prefix="/query", tags=["Query"])
 app.include_router(azure.router, prefix="/azure", tags=["Azure"])
 app.include_router(system.router, prefix="/system", tags=["System"])

From 0ba7b95f3ce9781d80299962f6ca30843bc7081b Mon Sep 17 00:00:00 2001
From: CELin <chingenlin71@gmail.com>
Date: Tue, 28 Oct 2025 11:07:57 +0100
Subject: [PATCH 2/5] fix: Update allowed origins for development environment
 in CORS configuration

---
 backend/main.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/backend/main.py b/backend/main.py
index 3a39714..8826df4 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -25,12 +25,10 @@
 else:
     # Development: Allow localhost origins
     allowed_origins = [
-        "http://localhost:3000",
+        "http://localhost:8000",
         "http://localhost:5173",
-        "http://localhost:8080",
-        "http://127.0.0.1:3000",
+        "http://127.0.0.1:8000",
         "http://127.0.0.1:5173",
-        "http://127.0.0.1:8080",
     ]
 
 print(f"🔧 CORS Configuration - Production mode: {is_production}")

From a5a335f3f1411e36f6fc5d95d67ef196b3638c2f Mon Sep 17 00:00:00 2001
From: CELin <chingenlin71@gmail.com>
Date: Tue, 28 Oct 2025 11:10:00 +0100
Subject: [PATCH 3/5] style: Refactor CORS configuration logic and improve
 formatting in main.py

---
 backend/main.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/backend/main.py b/backend/main.py
index 8826df4..b5a3379 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -9,10 +9,10 @@
 # Configure CORS origins based on environment
 # Check for production indicators
 is_production = (
-    os.getenv("ENVIRONMENT") == "production" or
-    os.getenv("GAE_APPLICATION") or  # Google App Engine
-    os.getenv("GOOGLE_CLOUD_PROJECT") or  # Google Cloud
-    os.getenv("K_SERVICE")  # Google Cloud Run
+    os.getenv("ENVIRONMENT") == "production"
+    or os.getenv("GAE_APPLICATION")  # Google App Engine
+    or os.getenv("GOOGLE_CLOUD_PROJECT")  # Google Cloud
+    or os.getenv("K_SERVICE")  # Google Cloud Run
 )
 
 if is_production:
@@ -42,15 +42,17 @@
     allow_headers=["*"],
 )
 
+
 @app.get("/health")
 async def health_check():
     """Health check endpoint that also shows CORS configuration."""
     return {
         "status": "healthy",
         "cors_production_mode": is_production,
-        "cors_allowed_origins": allowed_origins
+        "cors_allowed_origins": allowed_origins,
     }
 
+
 app.include_router(query.router, prefix="/query", tags=["Query"])
 app.include_router(azure.router, prefix="/azure", tags=["Azure"])
 app.include_router(system.router, prefix="/system", tags=["System"])

From 1de345f0df9e618ade4570be993bc757c71dcaa3 Mon Sep 17 00:00:00 2001
From: CE Lin <50169422+ChingEnLin@users.noreply.github.com>
Date: Tue, 28 Oct 2025 11:15:48 +0100
Subject: [PATCH 4/5] remove cors_allowed_origins from response

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 backend/main.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/backend/main.py b/backend/main.py
index b5a3379..a6bede1 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -45,11 +45,10 @@
 
 @app.get("/health")
 async def health_check():
-    """Health check endpoint that also shows CORS configuration."""
+    """Health check endpoint."""
     return {
         "status": "healthy",
         "cors_production_mode": is_production,
-        "cors_allowed_origins": allowed_origins,
     }
 
 

From 7a66b93e2be99610e39919ac06a656756be06201 Mon Sep 17 00:00:00 2001
From: CE Lin <50169422+ChingEnLin@users.noreply.github.com>
Date: Tue, 28 Oct 2025 11:16:13 +0100
Subject: [PATCH 5/5] Update backend/main.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 backend/main.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/backend/main.py b/backend/main.py
index a6bede1..de1292e 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -10,9 +10,7 @@
 # Check for production indicators
 is_production = (
     os.getenv("ENVIRONMENT") == "production"
-    or os.getenv("GAE_APPLICATION")  # Google App Engine
-    or os.getenv("GOOGLE_CLOUD_PROJECT")  # Google Cloud
-    or os.getenv("K_SERVICE")  # Google Cloud Run
+    or os.getenv("K_SERVICE") is not None  # Google Cloud Run
 )
 
 if is_production: