Allow preflight requests for cloud template endpoints

[MarceloRGonc]

Fixes OPS-3165.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch mg/cors

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[linear]

OPS-3165 Cloud templates are not available

[Copilot]

Pull request overview

This PR disables CORS handling for cloud template endpoints and user info endpoints by adding cors: false configuration. The changes ensure that these publicly accessible endpoints bypass the default CORS plugin, likely to allow direct access from various origins without preflight request complications.

Key Changes

• Added cors: false configuration to cloud template endpoints (list and get by slug)
• Added cors: false configuration to user info endpoint

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
packages/server/api/src/app/flow-template/cloud-template.controller.ts	Disables CORS for two cloud template endpoints that already skip authentication
packages/server/api/src/app/user-info/user-info.module.ts	Disables CORS for user info endpoint that already skips authentication

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Overview

Greptile Summary

Added cors: false configuration to three endpoints (cloud-template.controller.ts:35, cloud-template.controller.ts:77, user-info.module.ts:33) to bypass CORS plugin for cloud template and user info routes.

Critical Issue: The cors property is not defined in the FastifyContextConfig interface (packages/server/api/types/fastify.d.ts:22) and no handler in the codebase checks for config.cors. This means these changes will have no effect - the global @fastify/cors plugin registered in packages/server/api/src/app/app.ts:140 will still process these routes.

The routes already use allowAllOriginsHookHandler (line 27 in both files) which manually sets CORS headers for all origins. To bypass the CORS plugin, you need to either:

1. Add the cors property to FastifyContextConfig type definition and implement a handler (similar to the bypassCorsPlugin approach from commit a619a57)
2. Use a different mechanism to exclude these routes from the CORS plugin

Confidence Score: 0/5

• This PR cannot achieve its intended purpose and should not be merged
• The cors: false configuration has no implementation - it's not defined in the type system and no handler reads this property. The changes are effectively dead code that won't bypass the CORS plugin as intended. This means OPS-3165 will not be fixed by this PR.
• All files need attention - the implementation is incomplete. Additionally, packages/server/api/types/fastify.d.ts and packages/server/api/src/app/app.ts need modifications to implement the cors config handling.

Important Files Changed

File Analysis

Filename	Score	Overview
packages/server/api/src/app/flow-template/cloud-template.controller.ts	1/5	Added cors: false config to two endpoints, but this property is not defined in types and has no handler implementation
packages/server/api/src/app/user-info/user-info.module.ts	1/5	Added cors: false config to endpoint, but this property is not defined in types and has no handler implementation

Sequence Diagram

sequenceDiagram
    participant Client
    participant Fastify
    participant CORSPlugin as @fastify/cors Plugin
    participant OnRequestHook as allowAllOriginsHookHandler
    participant Route as Cloud Template Route

    Client->>Fastify: GET /v1/cloud-templates
    Note over Fastify: Check route config {cors: false}
    Note over Fastify: ⚠️ No handler reads config.cors
    Fastify->>CORSPlugin: Process CORS (lines 140-165 in app.ts)
    CORSPlugin->>CORSPlugin: Check origin against allowed list
    Note over CORSPlugin: Will reject if not in allowed domains
    Fastify->>OnRequestHook: Execute hook (line 27 in controller)
    OnRequestHook->>OnRequestHook: Set Access-Control-Allow-Origin: *
    Note over OnRequestHook: Manually adds CORS headers
    Fastify->>Route: Execute route handler
    Route-->>Client: Response with conflicting CORS headers

Loading

[greptile-apps]

_{2 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud