Skip to content

fix(backend): restrict CORS to configurable origins and explicit methods/headers #1283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dataCenter430 wants to merge 1 commit into from
+52 −8
Closed

fix(backend): restrict CORS to configurable origins and explicit methods/headers #1283

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions backend/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@
uv run uvicorn main:api --port 5001
```

### CORS

CORS is restricted to avoid allowing arbitrary origins. Configure allowed browser origins in `~/.eigent/.env`:

- **`CORS_ORIGINS`** (optional): Comma-separated list of origins, e.g. `http://localhost:5173,http://localhost:3000`. In development, if unset, common localhost origins are allowed; in production, no origins are allowed until you set this.

i18n operation process: https://github.com/Anbarryprojects/fastapi-babel

```bash
Expand Down
54 changes: 46 additions & 8 deletions backend/app/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,55 @@
# limitations under the License.
# ========= Copyright 2025-2026 @ Eigent.ai All Rights Reserved. =========

import logging
import os

from dotenv import load_dotenv
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

# Load env so CORS_ORIGINS is available when this module is imported (before main runs).
load_dotenv(dotenv_path=os.path.join(os.path.expanduser("~"), ".eigent", ".env"))

logger = logging.getLogger(__name__)

# Initialize FastAPI with title
api = FastAPI(title="Eigent Multi-Agent System API")

# Add CORS middleware
api.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)

def _get_cors_origins() -> list[str]:
"""
CORS allowed origins. Avoids overly permissive '*' to prevent unwanted origins.
Set CORS_ORIGINS (comma-separated) in ~/.eigent/.env or environment;
in development only, defaults to common localhost origins if unset.
"""
raw = os.environ.get("CORS_ORIGINS")
if raw is not None and raw.strip():
origins = [o.strip() for o in raw.split(",") if o.strip()]
if origins:
return origins
if os.environ.get("ENVIRONMENT", "development").lower() == "development":
return [
"http://localhost:5173",
"http://127.0.0.1:5173",
"http://localhost:3000",
"http://127.0.0.1:3000",
]
return []


_cors_origins = _get_cors_origins()
if _cors_origins:
api.add_middleware(
CORSMiddleware,
allow_origins=_cors_origins,
allow_credentials=True,
allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
allow_headers=["Content-Type", "Authorization", "x-stack-auth"],
)
logger.info("CORS enabled for origins: %s", _cors_origins)
else:
logger.info(
"CORS disabled (no CORS_ORIGINS set in non-development). "
"Set CORS_ORIGINS (comma-separated) to allow browser origins."
)