fix: add CORS logging to diagnose production issue

[KnellBalm]

Diagnose and fix production CORS issues by adding detailed logging and ensuring deployment update.

The user reported a CORS error for a specific origin in production. Code analysis confirmed the origin is correctly configured in backend/main.py. To investigate further and rule out stale deployments or environment-specific header stripping, CORSLoggingMiddleware was added.

Changes:

• Created CORSLoggingMiddleware in backend/common/middleware.py.
• Registered middleware in backend/main.py.
• Added regression tests in tests/test_cors_logging.py.
• Verified existing CORS configuration via tests.

---

PR created automatically by Jules for task 12351911378339454831 started by @KnellBalm

Summary by Sourcery

Add middleware to log CORS requests and missing response headers and verify its behavior with tests.

New Features:

• Introduce CORSLoggingMiddleware to record CORS request details and detect missing Access-Control-Allow-Origin headers.

Tests:

• Add tests to confirm CORS logging occurs for allowed origins and that warnings are emitted when CORS headers are missing for disallowed origins.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[sourcery-ai]

Reviewer's Guide

Adds a CORS logging middleware to help diagnose missing CORS headers in production and verifies behavior with targeted tests for allowed and disallowed origins.

Sequence diagram for CORSLoggingMiddleware request and response flow

sequenceDiagram
    actor Client
    participant App
    participant CORSLoggingMiddleware
    participant CORSMiddleware
    participant RouteHandler

    Client->>App: HTTP request
    App->>CORSLoggingMiddleware: dispatch(request, call_next)
    CORSLoggingMiddleware->>CORSLoggingMiddleware: Read origin header
    alt Origin header present
        CORSLoggingMiddleware->>CORSLoggingMiddleware: Log CORS Request info
    end
    CORSLoggingMiddleware->>CORSMiddleware: call_next(request)
    CORSMiddleware->>RouteHandler: Process request
    RouteHandler-->>CORSMiddleware: Response
    CORSMiddleware-->>CORSLoggingMiddleware: Response with CORS headers (if configured)
    alt Origin header present
        CORSLoggingMiddleware->>CORSLoggingMiddleware: Check access control allow origin header
        alt Header missing
            CORSLoggingMiddleware->>CORSLoggingMiddleware: Log warning about missing CORS header
        end
    end
    CORSLoggingMiddleware-->>App: Response
    App-->>Client: HTTP response

Loading

Class diagram for new CORSLoggingMiddleware and FastAPI app integration

classDiagram
    class BaseHTTPMiddleware {
        +dispatch(request, call_next)
    }

    class CORSLoggingMiddleware {
        +dispatch(request, call_next)
    }

    class FastAPIApp {
        +add_middleware(middleware_class)
    }

    CORSLoggingMiddleware --|> BaseHTTPMiddleware
    FastAPIApp o--> CORSLoggingMiddleware

Loading

File-Level Changes

Change	Details	Files
Introduce CORSLoggingMiddleware to log CORS request/response details and detect missing CORS headers.	Add a middleware class that logs request origin/method/path when an Origin header is present. After calling the downstream handler, check for Access-Control-Allow-Origin when an Origin header was sent and log a warning if it is missing. Use a dedicated logger namespace for CORS logging to make production diagnostics easier.	backend/common/middleware.py
Register CORSLoggingMiddleware as the outermost middleware in the FastAPI application.	Add the new middleware to the FastAPI app configuration after CORSMiddleware so it wraps all requests/responses. Ensure ordering comment documents that CORSLoggingMiddleware is last so it runs outermost for accurate logging.	backend/main.py
Add regression tests to validate CORS logging behavior for allowed and disallowed origins in production-like settings.	Set ENV to production in tests to mirror production behavior when importing the FastAPI app. Verify that a request from an allowed origin produces an info-level CORS request log, no missing-header warning, and includes the Access-Control-Allow-Origin header in the response. Verify that a request from a disallowed origin triggers a warning log about missing CORS headers and that the Access-Control-Allow-Origin header is absent from the response.	tests/test_cors_logging.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Consider instantiating the backend.middleware.cors logger once (e.g., as a module- or class-level variable) instead of calling get_logger multiple times in CORSLoggingMiddleware.dispatch to avoid repeated lookup overhead and keep the code cleaner.
• The tests in test_cors_logging.py set os.environ["ENV"] = "production" at import time, which can leak into other tests; it would be safer to scope this via a fixture or monkeypatch within the individual tests.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider instantiating the `backend.middleware.cors` logger once (e.g., as a module- or class-level variable) instead of calling `get_logger` multiple times in `CORSLoggingMiddleware.dispatch` to avoid repeated lookup overhead and keep the code cleaner.
- The tests in `test_cors_logging.py` set `os.environ["ENV"] = "production"` at import time, which can leak into other tests; it would be safer to scope this via a fixture or `monkeypatch` within the individual tests.

## Individual Comments

### Comment 1
<location> `tests/test_cors_logging.py:7-8` </location>
<code_context>
+import pytest
+from fastapi.testclient import TestClient
+
+# Set ENV to production
+os.environ["ENV"] = "production"
+
+try:
</code_context>

<issue_to_address>
**suggestion (testing):** Avoid setting ENV at import time; use a per-test fixture/monkeypatch instead

Mutating `os.environ` at module import can leak state across tests and make execution order matter. Instead, use a pytest fixture (optionally `autouse=True`) that monkeypatches `os.environ["ENV"] = "production"` for the duration of each relevant test and restores it afterward to keep tests isolated and deterministic.

Suggested implementation:

```python
import logging
import os
import sys
import pytest
from fastapi.testclient import TestClient

try:
    from backend.main import app
except ImportError:
    sys.path.append(os.getcwd())
    from backend.main import app


@pytest.fixture
def env_production(monkeypatch):
    """Ensure ENV is set to production for the duration of a test."""
    monkeypatch.setenv("ENV", "production")


class TestCORSLogging:

    def test_cors_logging_success(self, caplog, env_production):
        """Test that CORS requests are logged and valid responses don't trigger warnings."""
        caplog.set_level(logging.INFO)

```

If there are other tests in this file that rely on `ENV` being `"production"`, they should also accept the `env_production` fixture as a parameter (e.g. `def test_x(..., env_production):`). Alternatively, you can change the fixture to `@pytest.fixture(autouse=True)` if you want all tests in this module to automatically run with `ENV="production"` without modifying each test signature.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (testing): Avoid setting ENV at import time; use a per-test fixture/monkeypatch instead

Mutating os.environ at module import can leak state across tests and make execution order matter. Instead, use a pytest fixture (optionally autouse=True) that monkeypatches os.environ["ENV"] = "production" for the duration of each relevant test and restores it afterward to keep tests isolated and deterministic.

Suggested implementation:

import logging
import os
import sys
import pytest
from fastapi.testclient import TestClient

try:
    from backend.main import app
except ImportError:
    sys.path.append(os.getcwd())
    from backend.main import app


@pytest.fixture
def env_production(monkeypatch):
    """Ensure ENV is set to production for the duration of a test."""
    monkeypatch.setenv("ENV", "production")


class TestCORSLogging:

    def test_cors_logging_success(self, caplog, env_production):
        """Test that CORS requests are logged and valid responses don't trigger warnings."""
        caplog.set_level(logging.INFO)

If there are other tests in this file that rely on ENV being "production", they should also accept the env_production fixture as a parameter (e.g. def test_x(..., env_production):). Alternatively, you can change the fixture to @pytest.fixture(autouse=True) if you want all tests in this module to automatically run with ENV="production" without modifying each test signature.