fix: allow credentials on CORS for Vite dev server
The dev-server allow-list (VITE_DEV_ORIGINS = localhost:5173 + 127.0.0.1:5173 + CYCLONE_ALLOWED_ORIGINS) is tight enough that `allow_credentials=True` is safe — the browser was dropping the session cookie on cross-origin fetches from the Vite dev server otherwise. Tight allow-list + credentials is the standard setup.
This commit is contained in:
@@ -257,7 +257,7 @@ app = FastAPI(
|
|||||||
app.add_middleware(
|
app.add_middleware(
|
||||||
CORSMiddleware,
|
CORSMiddleware,
|
||||||
allow_origins=VITE_DEV_ORIGINS,
|
allow_origins=VITE_DEV_ORIGINS,
|
||||||
allow_credentials=False,
|
allow_credentials=True,
|
||||||
allow_methods=["GET", "POST"],
|
allow_methods=["GET", "POST"],
|
||||||
allow_headers=["*"],
|
allow_headers=["*"],
|
||||||
)
|
)
|
||||||
|
|||||||
Reference in New Issue
Block a user