feat(server): CORS for local GUI clients#1063
Merged
Merged
Conversation
The cowork desktop build (Tauri webview / browser dev servers) calls the engine's HTTP API cross-origin: candidate, knowledge GET/PUT. The engine binds to localhost, so allowing explicit local-app origins is safe. Defaults cover the desktop vite dev server (1420), vite preview (4173), the web app dev server (3000), and the Tauri webview origin (tauri://localhost); override the list via AUTOCONTEXT_CORS_ORIGINS. Methods limited to GET/PUT/POST and headers to content-type. Unknown origins receive no CORS headers. Tests cover the allowed GET, the PUT preflight from tauri://localhost, the unknown-origin case, and the env override.
Add the new env var to the repo-level .env.example (API server section, with the local-GUI defaults shown) and to the API server section of the package README, noting that remote or custom GUI deployments set it to a comma-separated origin list.
Contributor
Author
|
Addressed the P3: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The cowork desktop build (Tauri webview, and browser dev servers) calls the engine's HTTP API cross-origin:
GET /api/runs/{id}/candidate,GET/PUT /api/knowledge/{scenario}. Without CORS headers those requests are blocked by the webview, which is the last gap keeping the desktop cockpit from full parity (candidate panel, knowledge editing, documents-to-knowledge).Adds
CORSMiddlewareincreate_app():http://localhost:1420(desktop vite dev),http://localhost:4173(vite preview),http://localhost:3000(web app dev),tauri://localhost(packaged webview).AUTOCONTEXT_CORS_ORIGINS(comma-separated).content-type.The engine binds to localhost, so allowing explicit local-app origins does not expose anything new; remote deployments can set the env var.
Tests
tests/test_server_cors.py: allowed GET echoes the origin; PUT preflight fromtauri://localhostallows PUT; unknown origin receives no CORS headers;AUTOCONTEXT_CORS_ORIGINSreplaces the defaults.Checks in a clean worktree off main: new tests + server health + knowledge endpoint tests pass (12), ruff clean, mypy clean.