Fix CORS issue for frontend and add CORS logging#35
Open
Conversation
- Added `CORSLoggingMiddleware` to `backend/common/middleware.py` and registered it in `backend/main.py`. - Verified and commented the allowed origin `https://query-craft-frontend-758178119666.us-central1.run.app` in `backend/main.py`. - Ran tests to ensure no regressions. Co-authored-by: KnellBalm <90038472+KnellBalm@users.noreply.github.com>
Contributor
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
Reviewer's GuideAdds a CORS-focused logging middleware to help detect missing CORS headers in responses, and documents/clarifies a verified allowed frontend origin in the CORS configuration. Sequence diagram for CORSLoggingMiddleware around CORSMiddlewaresequenceDiagram
actor Browser
participant FastAPIApp
participant CORSLoggingMiddleware
participant CORSMiddleware
participant RouteHandler
Browser->>FastAPIApp: HTTP request with Origin header
FastAPIApp->>CORSLoggingMiddleware: process request
CORSLoggingMiddleware->>CORSMiddleware: call_next(request)
CORSMiddleware->>RouteHandler: forward request
RouteHandler-->>CORSMiddleware: response
CORSMiddleware-->>CORSLoggingMiddleware: response with CORS headers
CORSLoggingMiddleware->>CORSLoggingMiddleware: check Origin and Access-Control-Allow-Origin
alt missing Access-Control-Allow-Origin
CORSLoggingMiddleware->>CORSLoggingMiddleware: log CORS warning
end
CORSLoggingMiddleware-->>Browser: final HTTP response
Class diagram for new CORSLoggingMiddlewareclassDiagram
class BaseHTTPMiddleware {
}
class CORSLoggingMiddleware {
+dispatch(request, call_next)
}
CORSLoggingMiddleware --|> BaseHTTPMiddleware
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- Consider instantiating the
backend.middleware.corslogger at module level instead of insidedispatchto avoid repeated logger lookups on every request.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider instantiating the `backend.middleware.cors` logger at module level instead of inside `dispatch` to avoid repeated logger lookups on every request.
## Individual Comments
### Comment 1
<location> `backend/common/middleware.py:52` </location>
<code_context>
+ if not allow_origin:
+ # If it's a 404/500, sometimes headers are missing if not handled correctly.
+ # But generally CORSMiddleware adds them even for errors.
+ logger = get_logger("backend.middleware.cors")
+ logger.warning(f"CORS Warning: Origin '{origin}' requested but no 'Access-Control-Allow-Origin' header in response. Status: {response.status_code}")
+
</code_context>
<issue_to_address>
**suggestion (performance):** Instantiate the logger once at module or class level instead of per-request.
Looking up the logger inside `dispatch` adds unnecessary overhead in a hot path. Define `logger = get_logger("backend.middleware.cors")` at module scope (or as a class attribute) and reuse it inside `dispatch` instead.
Suggested implementation:
```python
if not allow_origin:
# If it's a 404/500, sometimes headers are missing if not handled correctly.
# But generally CORSMiddleware adds them even for errors.
logger.warning(f"CORS Warning: Origin '{origin}' requested but no 'Access-Control-Allow-Origin' header in response. Status: {response.status_code}")
```
```python
logger = get_logger("backend.middleware.cors")
class CORSLoggingMiddleware(BaseHTTPMiddleware):
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| if not allow_origin: | ||
| # If it's a 404/500, sometimes headers are missing if not handled correctly. | ||
| # But generally CORSMiddleware adds them even for errors. | ||
| logger = get_logger("backend.middleware.cors") |
There was a problem hiding this comment.
suggestion (performance): Instantiate the logger once at module or class level instead of per-request.
Looking up the logger inside dispatch adds unnecessary overhead in a hot path. Define logger = get_logger("backend.middleware.cors") at module scope (or as a class attribute) and reuse it inside dispatch instead.
Suggested implementation:
if not allow_origin:
# If it's a 404/500, sometimes headers are missing if not handled correctly.
# But generally CORSMiddleware adds them even for errors.
logger.warning(f"CORS Warning: Origin '{origin}' requested but no 'Access-Control-Allow-Origin' header in response. Status: {response.status_code}")logger = get_logger("backend.middleware.cors")
class CORSLoggingMiddleware(BaseHTTPMiddleware):- Modified `tests/test_cors_config.py` to use a `pytest` fixture for environment isolation. - The fixture now temporarily patches `os.environ` with `ENV=production` and reloads `backend.main`. - After tests, `backend.main` is reloaded again to restore the original development environment, preventing side effects on `tests/test_integration.py` which failed due to missing `POSTGRES_DSN` in production mode. Co-authored-by: KnellBalm <90038472+KnellBalm@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explicitly verified and commented the allowed origin for the frontend. Added CORSLoggingMiddleware to catch and log potential CORS misconfigurations in production.
PR created automatically by Jules for task 12635860337990726010 started by @KnellBalm
Summary by Sourcery
Add logging middleware to detect and report missing CORS headers on responses while clarifying verified frontend origin configuration.
Enhancements: