Skip to content

fix(kiosk): allow X-Pair-Nonce through production CORS so kiosks can re-pair#498

Merged
thewrz merged 1 commit into
mainfrom
fix/kiosk-pair-cors-header
Jun 19, 2026
Merged

fix(kiosk): allow X-Pair-Nonce through production CORS so kiosks can re-pair#498
thewrz merged 1 commit into
mainfrom
fix/kiosk-pair-cors-header

Conversation

@thewrz

@thewrz thewrz commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

Why

A kiosk that gets unpaired from its event shows "Failed to create pairing session" and never displays a fresh QR code, so it can't be re-paired to another event.

The kiosk's POST /api/public/kiosk/pair carries a custom X-Pair-Nonce header, which triggers a browser CORS preflight. Production's non-wildcard CORS allow_headers never included X-Pair-Nonce, so the preflight returns 400 Disallowed CORS headers and the browser blocks the request before it's sent.

This has been latent since the nonce flow (#272): the live-display path uses X-Kiosk-Session (already allow-listed) so paired kiosks kept working, and local dev/tests use CORS_ORIGINS=* (allow_headers=["*"]) so it never reproduced. Unpairing forces the one code path the prod allow-list blocked.

What

  • Add X-Pair-Nonce to the production CORS allow_headers in server/app/main.py.
  • Add a regression test that builds the app under production-style explicit origins and asserts the kiosk pair-endpoint preflight allows x-pair-nonce (reproduced the exact 400 before the fix).

⚠️ Server-side fix — the kiosk only recovers after a backend redeploy to production.

Testing

  • Backend unit tests pass (3062 passed; new test_cors.py regression test included)
  • Coverage gate met (88.62% ≥ 85%)
  • ruff check + ruff format clean; bandit clean
  • Manual verification: after deploy, unpair the kiosk → it shows a fresh QR code and can pair to a new event
  • CI green

🤖 Co-authored by Claude Opus 4.8. Closes #497.

…re-pair

A kiosk creating a pairing session POSTs /api/public/kiosk/pair with a custom
X-Pair-Nonce header. Because that header is not CORS-safelisted, the browser
sends a preflight OPTIONS first. Production's non-wildcard CORS allow_headers
list never included X-Pair-Nonce, so the preflight returned 400 "Disallowed
CORS headers" and the browser blocked the POST — the kiosk-pair page caught the
thrown fetch and showed "Failed to create pairing session".

The gap was latent since the nonce flow landed (#272): the live-display path
uses X-Kiosk-Session (already allow-listed), so an already-paired kiosk kept
working. It only surfaced when a kiosk was unpaired and had to create a fresh
session. Local dev/tests never caught it because CORS_ORIGINS=* uses
allow_headers=["*"].

Add X-Pair-Nonce to the production allow-list and add a regression test that
exercises the prod (explicit-origins) CORS branch and asserts the pair-endpoint
preflight allows the header.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@thewrz, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 11 minutes and 15 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 64e028c2-62a8-4c48-bbf8-f825dca910ec

📥 Commits

Reviewing files that changed from the base of the PR and between 002f752 and 54a1bdf.

📒 Files selected for processing (2)
  • server/app/main.py
  • server/tests/test_cors.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/kiosk-pair-cors-header

Comment @coderabbitai help to get the list of available commands and usage tips.

@thewrz thewrz merged commit f533c00 into main Jun 19, 2026
10 checks passed
@thewrz thewrz deleted the fix/kiosk-pair-cors-header branch June 19, 2026 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Kiosk: "Failed to create pairing session" — X-Pair-Nonce blocked by production CORS

1 participant