fix: allow credentials on CORS for Vite dev server

The dev-server allow-list (VITE_DEV_ORIGINS = localhost:5173 +
127.0.0.1:5173 + CYCLONE_ALLOWED_ORIGINS) is tight enough that
`allow_credentials=True` is safe — the browser was dropping the
session cookie on cross-origin fetches from the Vite dev server
otherwise. Tight allow-list + credentials is the standard setup.
This commit is contained in:
Nora
2026-06-24 09:14:32 -06:00
parent 07a7ecbdd4
commit 24fbf945c9
+1 -1
View File
@@ -257,7 +257,7 @@ app = FastAPI(
app.add_middleware(
CORSMiddleware,
allow_origins=VITE_DEV_ORIGINS,
allow_credentials=False,
allow_credentials=True,
allow_methods=["GET", "POST"],
allow_headers=["*"],
)