Fix a bunch of CORS related issues for deployment

“bchou9” · “bchou9” · commit fb0ff970ec02 · 2025-11-23T04:32:34.000Z
diff --git a/backend/app.py b/backend/app.py
@@ -101,7 +101,17 @@ def handle_rate_limit_exception(e):
 local_regexes = [r"^https?://localhost(:\d+)?$", r"^https?://127\.0\.0\.1(:\d+)?$"]
 
 cors_origins = explicit_allowed + local_regexes
-CORS(app, supports_credentials=True, origins=cors_origins)
+
+CORS(app, 
+     resources={r"/*": {
+         "origins": cors_origins,
+         "methods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+         "allow_headers": ["Content-Type", "Authorization", "X-Requested-With", "Accept"],
+         "expose_headers": ["Content-Type", "Authorization"],
+         "supports_credentials": True,
+         "max_age": 3600
+     }}
+)
 
 def origin_allowed(origin):
     """Return True if the provided origin string is allowed by explicit allowed
@@ -126,17 +136,17 @@ def add_cors_headers(response):
     This complements flask-cors and guards against cases where exception paths
     or other middleware may return responses without the proper headers.
     """
+    if response.headers.get("Access-Control-Allow-Origin"):
+        return response
+    
     try:
         origin = request.headers.get("Origin")
         if origin and origin_allowed(origin):
             response.headers["Access-Control-Allow-Origin"] = origin
             response.headers["Access-Control-Allow-Credentials"] = "true"
-        else:
-            fallback = explicit_allowed[0] if explicit_allowed else "http://localhost:10008"
-            response.headers.setdefault("Access-Control-Allow-Origin", fallback)
-            response.headers.setdefault("Access-Control-Allow-Credentials", "true")
-        response.headers.setdefault("Access-Control-Allow-Headers", "Content-Type,Authorization")
-        response.headers.setdefault("Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS")
+            response.headers["Access-Control-Allow-Headers"] = "Content-Type,Authorization,X-Requested-With,Accept"
+            response.headers["Access-Control-Allow-Methods"] = "GET,POST,PUT,PATCH,DELETE,OPTIONS"
+            response.headers["Access-Control-Expose-Headers"] = "Content-Type,Authorization"
     except Exception:
         pass
     return response
@@ -165,28 +175,32 @@ def handle_all_exceptions(e):
         if origin and origin_allowed(origin):
             resp.headers["Access-Control-Allow-Origin"] = origin
             resp.headers["Access-Control-Allow-Credentials"] = "true"
+            resp.headers["Access-Control-Allow-Headers"] = "Content-Type,Authorization,X-Requested-With,Accept"
+            resp.headers["Access-Control-Allow-Methods"] = "GET,POST,PUT,PATCH,DELETE,OPTIONS"
+            resp.headers["Access-Control-Expose-Headers"] = "Content-Type,Authorization"
         else:
             fallback = explicit_allowed[0] if explicit_allowed else "http://localhost:10008"
             resp.headers.setdefault("Access-Control-Allow-Origin", fallback)
             resp.headers.setdefault("Access-Control-Allow-Credentials", "true")
-        resp.headers.setdefault("Access-Control-Allow-Headers", "Content-Type,Authorization")
-        resp.headers.setdefault("Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS")
+            resp.headers.setdefault("Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With,Accept")
+            resp.headers.setdefault("Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS")
+            resp.headers.setdefault("Access-Control-Expose-Headers", "Content-Type,Authorization")
         return resp
     except Exception:
         # If even the error handler fails, return a minimal JSON response
         logger.exception("Error while handling exception")
         out = make_response(json.dumps({"status": "error", "message": "Fatal error"}), 500)
         out.headers.setdefault("Access-Control-Allow-Origin", "http://localhost:10008")
         out.headers.setdefault("Access-Control-Allow-Credentials", "true")
-        out.headers.setdefault("Access-Control-Allow-Headers", "Content-Type,Authorization")
+        out.headers.setdefault("Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With,Accept")
         out.headers.setdefault("Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS")
         out.headers["Content-Type"] = "application/json"
         return out
 
 
 from flask_socketio import SocketIO
 import services.socketio_service as socketio_service
-socketio = SocketIO(app, cors_allowed_origins="*", async_mode="threading")
+socketio = SocketIO(app, cors_allowed_origins=cors_origins, async_mode="threading")
 socketio_service.socketio = socketio
 socketio_service.register_socketio_handlers()
 
diff --git a/backend/config.py b/backend/config.py
@@ -35,6 +35,7 @@
 REFRESH_TOKEN_COOKIE_NAME = os.getenv("REFRESH_TOKEN_COOKIE_NAME", "rescanvas_refresh")
 REFRESH_TOKEN_COOKIE_SECURE = os.getenv("REFRESH_TOKEN_COOKIE_SECURE", "False") == "True"
 REFRESH_TOKEN_COOKIE_SAMESITE = os.getenv("REFRESH_TOKEN_COOKIE_SAMESITE", "Lax")
+REFRESH_TOKEN_COOKIE_PARTITIONED = os.getenv("REFRESH_TOKEN_COOKIE_PARTITIONED", "False") == "True"
 
 ROOM_MASTER_KEY_B64 = os.getenv("ROOM_MASTER_KEY_B64")
 if not ROOM_MASTER_KEY_B64:
diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml
@@ -37,6 +37,10 @@ services:
       - JWT_SECRET=${JWT_SECRET:-dev-insecure-change-me}
       - OPENAI_API_KEY=${OPENAI_API_KEY}
       - ANALYTICS_ENABLED=${ANALYTICS_ENABLED:-True}
+      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS}
+      - REFRESH_TOKEN_COOKIE_SECURE=${REFRESH_TOKEN_COOKIE_SECURE:-True}
+      - REFRESH_TOKEN_COOKIE_SAMESITE=${REFRESH_TOKEN_COOKIE_SAMESITE:-None}
+      - REFRESH_TOKEN_COOKIE_PARTITIONED=${REFRESH_TOKEN_COOKIE_PARTITIONED:-True}
     volumes:
       - ./logs:/app/logs
     depends_on:
diff --git a/backend/routes/auth.py b/backend/routes/auth.py
@@ -8,6 +8,7 @@
 from config import (
     JWT_SECRET, JWT_ISSUER, ACCESS_TOKEN_EXPIRES_SECS, REFRESH_TOKEN_EXPIRES_SECS,
     REFRESH_TOKEN_COOKIE_NAME, REFRESH_TOKEN_COOKIE_SECURE, REFRESH_TOKEN_COOKIE_SAMESITE,
+    REFRESH_TOKEN_COOKIE_PARTITIONED,
     RATE_LIMIT_LOGIN_HOURLY, RATE_LIMIT_REGISTER_HOURLY, RATE_LIMIT_REFRESH_HOURLY
 )
 from middleware.auth import require_auth, validate_request_data
@@ -55,6 +56,37 @@ def _find_valid_refresh_token(token_hash):
     })
     return doc
 
+def _set_refresh_cookie(response, token_value, max_age):
+    """Set refresh token cookie with all necessary attributes including Partitioned.
+    
+    The Partitioned attribute is required for third-party cookies in modern browsers
+    to prevent cross-site tracking.
+    """
+    cookie_parts = [
+        f"{REFRESH_TOKEN_COOKIE_NAME}={token_value}",
+        f"Max-Age={max_age}",
+        f"Path=/",
+    ]
+    
+    if REFRESH_TOKEN_COOKIE_SECURE:
+        cookie_parts.append("Secure")
+    
+    cookie_parts.append("HttpOnly")
+    
+    if REFRESH_TOKEN_COOKIE_SAMESITE:
+        cookie_parts.append(f"SameSite={REFRESH_TOKEN_COOKIE_SAMESITE}")
+    
+    if REFRESH_TOKEN_COOKIE_PARTITIONED:
+        cookie_parts.append("Partitioned")
+    
+    expires = datetime.utcnow() + timedelta(seconds=max_age)
+    expires_str = expires.strftime("%a, %d %b %Y %H:%M:%S GMT")
+    cookie_parts.append(f"Expires={expires_str}")
+    
+    cookie_string = "; ".join(cookie_parts)
+    response.headers.add("Set-Cookie", cookie_string)
+    return response
+
 @auth_bp.route("/auth/register", methods=["POST"])
 @limiter.limit(f"{RATE_LIMIT_REGISTER_HOURLY}/hour")
 @validate_request_data({
@@ -96,7 +128,7 @@ def register():
     expires_at = datetime.utcnow() + timedelta(seconds=REFRESH_TOKEN_EXPIRES_SECS)
     _store_refresh_token(user["_id"], h, expires_at)
     resp = make_response(jsonify({"status":"ok","token": access, "user": {"username": user["username"], "walletPubKey": user.get("walletPubKey")}}), 201)
-    resp.set_cookie(REFRESH_TOKEN_COOKIE_NAME, raw_refresh, httponly=True, secure=REFRESH_TOKEN_COOKIE_SECURE, samesite=REFRESH_TOKEN_COOKIE_SAMESITE, max_age=REFRESH_TOKEN_EXPIRES_SECS)
+    _set_refresh_cookie(resp, raw_refresh, REFRESH_TOKEN_EXPIRES_SECS)
     return resp
 
 @auth_bp.route("/auth/login", methods=["POST"])
@@ -130,7 +162,7 @@ def login():
     expires_at = datetime.utcnow() + timedelta(seconds=REFRESH_TOKEN_EXPIRES_SECS)
     _store_refresh_token(user["_id"], h, expires_at)
     resp = make_response(jsonify({"status":"ok","token": access, "user": {"username": user["username"], "walletPubKey": user.get("walletPubKey")}}))
-    resp.set_cookie(REFRESH_TOKEN_COOKIE_NAME, raw_refresh, httponly=True, secure=REFRESH_TOKEN_COOKIE_SECURE, samesite=REFRESH_TOKEN_COOKIE_SAMESITE, max_age=REFRESH_TOKEN_EXPIRES_SECS)
+    _set_refresh_cookie(resp, raw_refresh, REFRESH_TOKEN_EXPIRES_SECS)
     return resp
 
 @auth_bp.route("/auth/refresh", methods=["POST"])
@@ -150,7 +182,7 @@ def refresh():
     expires_at = datetime.utcnow() + timedelta(seconds=REFRESH_TOKEN_EXPIRES_SECS)
     _store_refresh_token(user["_id"], new_h, expires_at)
     resp = make_response(jsonify({"status":"ok","token": access}))
-    resp.set_cookie(REFRESH_TOKEN_COOKIE_NAME, new_raw, httponly=True, secure=REFRESH_TOKEN_COOKIE_SECURE, samesite=REFRESH_TOKEN_COOKIE_SAMESITE, max_age=REFRESH_TOKEN_EXPIRES_SECS)
+    _set_refresh_cookie(resp, new_raw, REFRESH_TOKEN_EXPIRES_SECS)
     return resp
 
 @auth_bp.route("/auth/logout", methods=["POST"])
