From 24fbf945c9350f5fdb83fbfcfc29ad2102c0bcea Mon Sep 17 00:00:00 2001 From: Nora Date: Wed, 24 Jun 2026 09:14:32 -0600 Subject: [PATCH] fix: allow credentials on CORS for Vite dev server MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dev-server allow-list (VITE_DEV_ORIGINS = localhost:5173 + 127.0.0.1:5173 + CYCLONE_ALLOWED_ORIGINS) is tight enough that `allow_credentials=True` is safe — the browser was dropping the session cookie on cross-origin fetches from the Vite dev server otherwise. Tight allow-list + credentials is the standard setup. --- backend/src/cyclone/api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/cyclone/api.py b/backend/src/cyclone/api.py index a637725..cfb6a3c 100644 --- a/backend/src/cyclone/api.py +++ b/backend/src/cyclone/api.py @@ -257,7 +257,7 @@ app = FastAPI( app.add_middleware( CORSMiddleware, allow_origins=VITE_DEV_ORIGINS, - allow_credentials=False, + allow_credentials=True, allow_methods=["GET", "POST"], allow_headers=["*"], )