Fix CORS for Railway PR environments

Add ALLOW_RAILWAY_ORIGINS env var that enables regex-based CORS allowing any *.up.railway.app origin. This makes PR environment testing work without manually setting FRONTEND_URL for each PR. Set ALLOW_RAILWAY_ORIGINS=true in Railway backend env vars. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 01:35:44 -05:00
parent c782d41eff
commit 76653bab1e
2 changed files with 38 additions and 8 deletions
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -41,14 +41,33 @@ app = FastAPI(
 app.add_middleware(ErrorLoggingMiddleware)
 app.add_middleware(RequestLoggingMiddleware)

-# Configure CORS
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=settings.allowed_origins,
-    allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
-)
+# Configure CORS with dynamic origin checking for Railway PR environments
+def get_allowed_origins():
+    """Return origins list or callable for dynamic checking."""
+    if settings.ALLOW_RAILWAY_ORIGINS:
+        # Use callable to dynamically check Railway origins
+        def check_origin(origin: str) -> bool:
+            return settings.is_origin_allowed(origin)
+        return check_origin
+    return settings.allowed_origins
+
+# Note: When ALLOW_RAILWAY_ORIGINS is True, we use allow_origin_regex for Railway domains
+if settings.ALLOW_RAILWAY_ORIGINS:
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origin_regex=r"https://.*\.up\.railway\.app",
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
+else:
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=settings.allowed_origins,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )

 # Include API router
 app.include_router(api_router, prefix=settings.API_V1_PREFIX)