fix(kiosk): allow X-Pair-Nonce through production CORS so kiosks can re-pair#498
Conversation
…re-pair A kiosk creating a pairing session POSTs /api/public/kiosk/pair with a custom X-Pair-Nonce header. Because that header is not CORS-safelisted, the browser sends a preflight OPTIONS first. Production's non-wildcard CORS allow_headers list never included X-Pair-Nonce, so the preflight returned 400 "Disallowed CORS headers" and the browser blocked the POST — the kiosk-pair page caught the thrown fetch and showed "Failed to create pairing session". The gap was latent since the nonce flow landed (#272): the live-display path uses X-Kiosk-Session (already allow-listed), so an already-paired kiosk kept working. It only surfaced when a kiosk was unpaired and had to create a fresh session. Local dev/tests never caught it because CORS_ORIGINS=* uses allow_headers=["*"]. Add X-Pair-Nonce to the production allow-list and add a regression test that exercises the prod (explicit-origins) CORS branch and asserts the pair-endpoint preflight allows the header. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 11 minutes and 15 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Why
A kiosk that gets unpaired from its event shows "Failed to create pairing session" and never displays a fresh QR code, so it can't be re-paired to another event.
The kiosk's
POST /api/public/kiosk/paircarries a customX-Pair-Nonceheader, which triggers a browser CORS preflight. Production's non-wildcard CORSallow_headersnever includedX-Pair-Nonce, so the preflight returns400 Disallowed CORS headersand the browser blocks the request before it's sent.This has been latent since the nonce flow (#272): the live-display path uses
X-Kiosk-Session(already allow-listed) so paired kiosks kept working, and local dev/tests useCORS_ORIGINS=*(allow_headers=["*"]) so it never reproduced. Unpairing forces the one code path the prod allow-list blocked.What
X-Pair-Nonceto the production CORSallow_headersinserver/app/main.py.x-pair-nonce(reproduced the exact400before the fix).Testing
test_cors.pyregression test included)🤖 Co-authored by Claude Opus 4.8. Closes #497.