feat(p28b): CORS for Vercel + Cloudflare-Tunnel deploy guide#50
Merged
Conversation
…xample
P28b — operator path for the Vercel-frontend + local-compute
architecture. Three pieces:
1. CORS that doesn't deadlock the browser.
The existing middleware passed allow_origins=['*'] together with
allow_credentials=True, which browsers refuse. The new code reads
the cors_origins list and:
- wildcard ('*' present) -> credentials disabled (still works for
header-based auth: Bearer JWT, X-API-Key);
- concrete origins -> credentials kept on, so cookie/session flows
(OAuth callback) work too.
Also exposes Retry-After + X-Request-ID via Access-Control-Expose-
Headers so the Vercel SPA can read them.
2. docs/DEPLOY_VERCEL_TUNNEL.md — full operator guide:
architecture diagram (Vercel SPA -> Cloudflare Tunnel -> FastAPI
on your box), env-var checklist, systemd unit for ropeway serve,
cloudflared install + named-tunnel-vs-quick-tunnel setup, Vercel
side env (ROPEWAY_API_BASE + ROPEWAY_API_KEY), round-trip smoke
tests (health, API key, rate limit), backup/update/troubleshooting.
3. .env.example at the repo root — every operator-relevant env var
in one file, grouped by phase (core / CORS / P28 / OAuth / Razorpay
/ observability), with secret-generation one-liners.
Tests: tests/test_cors_vercel.py — 6 new
- wildcard origin disables credentials (browser-safe)
- concrete Vercel origin allows credentials + echoes origin back
- other origins rejected even when allow-list is set
- Retry-After listed in Access-Control-Expose-Headers
- DEPLOY_VERCEL_TUNNEL.md ships the required keywords
- .env.example carries every operator-critical env var
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Operator path for the Vercel SPA → Cloudflare Tunnel → local FastAPI architecture you're planning. Three pieces.
1. CORS that doesn't deadlock the browser
The middleware passed
allow_origins=['*']+allow_credentials=True— browsers refuse the combo. Fixed:*in origins →allow_credentials=False(Bearer JWT + X-API-Key still work)Also exposes
Retry-After+X-Request-IDso the SPA can read them.2.
docs/DEPLOY_VERCEL_TUNNEL.mdFull operator guide: architecture diagram, env-var checklist, systemd unit for
ropeway serve,cloudflarednamed-tunnel + quick-tunnel paths, Vercel-side env (ROPEWAY_API_BASE+ROPEWAY_API_KEY), round-trip smoke tests, troubleshooting matrix.3.
.env.exampleEvery operator-relevant env in one file, grouped by phase (core / CORS / P28 / OAuth / Razorpay / observability), with secret-generation one-liners.
Test plan
tests/test_cors_vercel.py— 6 tests: wildcard disables credentials, concrete origin allows + echoes, foreign origin rejected, Retry-After in expose-headers, deploy guide keyword check, .env.example key check