fix: allow credentials on CORS for Vite dev server
The dev-server allow-list (VITE_DEV_ORIGINS = localhost:5173 + 127.0.0.1:5173 + CYCLONE_ALLOWED_ORIGINS) is tight enough that `allow_credentials=True` is safe — the browser was dropping the session cookie on cross-origin fetches from the Vite dev server otherwise. Tight allow-list + credentials is the standard setup.
This commit is contained in:
@@ -257,7 +257,7 @@ app = FastAPI(
|
||||
app.add_middleware(
|
||||
CORSMiddleware,
|
||||
allow_origins=VITE_DEV_ORIGINS,
|
||||
allow_credentials=False,
|
||||
allow_credentials=True,
|
||||
allow_methods=["GET", "POST"],
|
||||
allow_headers=["*"],
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user