Fix CORS origin handling for deployed frontend origins by oshankkkk · Pull Request #7 · oshankkkk/Puffnotes

oshankkkk · 2026-04-06T13:27:59Z

The middleware previously returned a hardcoded Access-Control-Allow-Origin, causing preflight failures when the frontend was served from a different Railway domain.
Browsers require the Access-Control-Allow-Origin to either exactly match the request Origin or be a wildcard, so dynamic reflection must be gated by an allowlist.
Allowing origins via environment variables and a safe local default prevents deployment mismatches while keeping local development working.

Replaced the fixed origin with an allowlist-based approach that reads CLIENT_URL and CORS_ALLOWED_ORIGINS (comma-separated) from the environment and normalizes entries by trimming trailing slashes.
The middleware now echoes the request Origin only when it is present in the allowlist and adds Vary: Origin when reflecting the origin.
Added a sensible default of http://localhost:5173 when no CORS env vars are provided and preserved preflight OPTIONS handling returning 200 OK.
Implemented helper functions allowedOriginsFromEnv and isAllowedOrigin in backend/internal/middleware/cors/cors.go to centralize origin parsing and validation.

Ran the backend test suite with cd backend && go test ./... and the tests completed successfully.
Test output included successful packages such as backend/internal/api/handler, backend/internal/api/request, backend/internal/api/response, and backend/internal/api/validator reporting ok.
No middleware-specific unit tests were present, and no test failures occurred in the run.

Fix CORS origin handling for Railway frontend

b441e60

oshankkkk added the codex label Apr 6, 2026 — with ChatGPT Codex Connector

oshankkkk merged commit ccbade2 into corsbugfix Apr 6, 2026
1 of 2 checks passed

oshankkkk deleted the codex/fix-cors-policy-for-fetch-requests branch April 7, 2026 16:14

Provide feedback