fix: restrict CORS configuration to trusted origins

[shogun444]

Description

Replaces permissive CORS configuration (allow_origins=["*"]) with a restricted list of trusted origins using the ALLOWED_ORIGINS environment variable.

Defaults to http://localhost:3000 for development.

Related Issue

Fixes #102

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application's security posture by transitioning from an overly permissive Cross-Origin Resource Sharing (CORS) configuration to a more secure, restricted approach. By allowing only explicitly defined trusted origins, the change mitigates potential cross-site scripting (XSS) and other web-based vulnerabilities, ensuring that only authorized front-end applications can interact with the API.

Highlights

• CORS Configuration: Replaced the permissive allow_origins=["*"] setting with a restricted list of trusted origins.
• Environment Variable Support: Introduced the ALLOWED_ORIGINS environment variable to define the list of allowed origins.
• Development Default: Set a default allowed origin of http://localhost:3000 for local development environments.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly restricts the CORS configuration by replacing the wildcard * for allow_origins with a configurable list of trusted origins from an environment variable. This is a great security improvement. I've added a couple of suggestions to make the implementation more robust and to further harden the security posture of the CORS policy.

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[sehansi-9]

move load_dotenv() from inside load_config() and put it right after the imports. right now, the CORSMiddleware setup happens as soon as the file is loaded, but load_config() only runs much later when the app starts up. Because of that, by the time the middleware looks for ALLOWED_ORIGINS, it hasn't seen the .env
file yet and just defaults to localhost:3000.

[yasandu0505]

@shogun444

• Edit the .env.example file
  If you are adding environment variables, please edit the .env.example file as well. so someone will not get confused. Thanks! 😁💪

[shogun444]

Okay.
i will do it please give me a some time.
I will make the PR merge-ready in few hours.

[shogun444]

@yasandu0505
could you please check?
I did that.

[yasandu0505]

@yasandu0505 could you please check? I did that.

@shogun444 I have added some comments brother , can you resolve them? , Thank You!

[yasandu0505]

some comments

[yasandu0505]

In here you can't access the env like this. We have a separate config module. you can check it on @/src/core/config.py. Under that you can see how we have captured env variables. capture the env variables to that module and expose them through settings.

Then you can import it here on main.py

from src.core.config import settings

allowed_origins = settings.ALLOWED_ORIGINS.split(",")
if not allowed_origins:
    allowed_origins = ["*"]

app.add_middleware(
    CORSMiddleware,
    allow_origins=allowed_origins,          
    allow_credentials=False,
    allow_methods=["*"],
    allow_headers=["*"],
)

Thank You! , Happy coding 💪😁

[yasandu0505]

Can you please change this to something like your-allowed-origins , Thank You!

[shogun444]

Yes I'll do it.
and commit the changes by today.

[yasandu0505]

Yes I'll do it. and commit the changes by today.

Thank You Brother 💪

[shogun444]

@yasandu0505 is this okay?