fix: implement CORS security to prevent unauthorized cross-origin requests

claude[bot] · yangm2 · claude[bot] · commit fd340e074888 · 2025-08-07T19:49:32.000Z
- Add Flask-CORS dependency to pyproject.toml - Configure strict origin allowlist for tenantfirstaid.com domains - Add development localhost origins when ENV=dev - Enable credentials support for session handling - Reject requests from unauthorized origins at server level Fixes #94 Co-authored-by: yangm2 <yangm2@users.noreply.github.com>
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
@@ -4,6 +4,7 @@ version = "0.2.0"
 requires-python = ">=3.12"
 dependencies = [
   "flask>=3.1.1",
+  "flask-cors>=4.0.0",
   "valkey>=6.1.0",
   "gunicorn>=23.0.0",
   "google-auth>=2.40.3",
diff --git a/backend/tenantfirstaid/app.py b/backend/tenantfirstaid/app.py
@@ -1,5 +1,6 @@
 from pathlib import Path
 from flask import Flask, jsonify, session
+from flask_cors import CORS
 import os
 import secrets
 
@@ -16,6 +17,23 @@
 
 app = Flask(__name__)
 
+# Configure CORS with strict origin validation
+ALLOWED_ORIGINS = [
+    "https://tenantfirstaid.com",
+    "https://www.tenantfirstaid.com",
+]
+
+# Add localhost origins for development
+if os.getenv("ENV", "dev") == "dev":
+    ALLOWED_ORIGINS.extend([
+        "http://localhost:3000",
+        "http://127.0.0.1:3000",
+        "http://localhost:5173",  # Vite default
+        "http://127.0.0.1:5173",
+    ])
+
+CORS(app, origins=ALLOWED_ORIGINS, supports_credentials=True)
+
 # Configure Flask sessions
 app.secret_key = os.getenv("FLASK_SECRET_KEY", secrets.token_hex(32))
 app.config["SESSION_COOKIE_HTTPONLY"] = True
