Fix CORS for Railway PR environments

Add ALLOW_RAILWAY_ORIGINS env var that enables regex-based CORS allowing any *.up.railway.app origin. This makes PR environment testing work without manually setting FRONTEND_URL for each PR. Set ALLOW_RAILWAY_ORIGINS=true in Railway backend env vars. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 01:35:44 -05:00
parent c782d41eff
commit 76653bab1e
2 changed files with 38 additions and 8 deletions
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -40,6 +40,8 @@ class Settings(BaseSettings):
    # CORS - set FRONTEND_URL in production (e.g., https://patherly.up.railway.app)
    CORS_ORIGINS: list[str] = ["http://localhost:3000", "http://localhost:5173", "http://localhost:5174"]
    FRONTEND_URL: Optional[str] = None
+    # Allow all Railway PR environments (set to True in Railway env vars)
+    ALLOW_RAILWAY_ORIGINS: bool = False

    @property
    def allowed_origins(self) -> list[str]:
@@ -49,6 +51,15 @@ class Settings(BaseSettings):
            origins.append(self.FRONTEND_URL)
        return origins

+    def is_origin_allowed(self, origin: str) -> bool:
+        """Check if an origin is allowed, including Railway wildcard pattern."""
+        if origin in self.allowed_origins:
+            return True
+        # Allow any *.up.railway.app origin for PR environments
+        if self.ALLOW_RAILWAY_ORIGINS and origin.endswith(".up.railway.app"):
+            return True
+        return False
+
    class Config:
        env_file = ".env"
        case_sensitive = True