Fix CORS for Railway PR environments

Add ALLOW_RAILWAY_ORIGINS env var that enables regex-based CORS allowing any *.up.railway.app origin. This makes PR environment testing work without manually setting FRONTEND_URL for each PR. Set ALLOW_RAILWAY_ORIGINS=true in Railway backend env vars. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 01:35:44 -05:00
parent c782d41eff
commit 76653bab1e
2 changed files with 38 additions and 8 deletions
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -40,6 +40,8 @@ class Settings(BaseSettings):
    # CORS - set FRONTEND_URL in production (e.g., https://patherly.up.railway.app)
    CORS_ORIGINS: list[str] = ["http://localhost:3000", "http://localhost:5173", "http://localhost:5174"]
    FRONTEND_URL: Optional[str] = None
+    # Allow all Railway PR environments (set to True in Railway env vars)
+    ALLOW_RAILWAY_ORIGINS: bool = False

    @property
    def allowed_origins(self) -> list[str]:
@@ -49,6 +51,15 @@ class Settings(BaseSettings):
            origins.append(self.FRONTEND_URL)
        return origins

+    def is_origin_allowed(self, origin: str) -> bool:
+        """Check if an origin is allowed, including Railway wildcard pattern."""
+        if origin in self.allowed_origins:
+            return True
+        # Allow any *.up.railway.app origin for PR environments
+        if self.ALLOW_RAILWAY_ORIGINS and origin.endswith(".up.railway.app"):
+            return True
+        return False
+
    class Config:
        env_file = ".env"
        case_sensitive = True
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -41,14 +41,33 @@ app = FastAPI(
 app.add_middleware(ErrorLoggingMiddleware)
 app.add_middleware(RequestLoggingMiddleware)

-# Configure CORS
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=settings.allowed_origins,
-    allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
-)
+# Configure CORS with dynamic origin checking for Railway PR environments
+def get_allowed_origins():
+    """Return origins list or callable for dynamic checking."""
+    if settings.ALLOW_RAILWAY_ORIGINS:
+        # Use callable to dynamically check Railway origins
+        def check_origin(origin: str) -> bool:
+            return settings.is_origin_allowed(origin)
+        return check_origin
+    return settings.allowed_origins
+
+# Note: When ALLOW_RAILWAY_ORIGINS is True, we use allow_origin_regex for Railway domains
+if settings.ALLOW_RAILWAY_ORIGINS:
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origin_regex=r"https://.*\.up\.railway\.app",
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
+else:
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=settings.allowed_origins,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )

 # Include API router
 app.include_router(api_router, prefix=settings.API_V1_PREFIX)