cors and openai security stuff in apps/ai

Author: yujonglee

apps/ai/Cargo.toml

@@ -12,7 +12,7 @@ owhisper-client = { workspace = true }
 
 axum = { workspace = true, features = ["ws"] }
 tokio = { workspace = true, features = ["rt-multi-thread", "macros", "signal"] }
-tower-http = { workspace = true, features = ["trace"] }
+tower-http = { workspace = true, features = ["trace", "cors"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true, features = ["env-filter"] }
 

apps/ai/src/main.rs

@@ -9,7 +9,11 @@ use std::time::Duration;
 use axum::{Router, body::Body, extract::MatchedPath, http::Request, middleware};
 use sentry::integrations::tower::{NewSentryLayer, SentryHttpLayer};
 use tower::ServiceBuilder;
-use tower_http::{classify::ServerErrorsFailureClass, trace::TraceLayer};
+use tower_http::{
+    classify::ServerErrorsFailureClass,
+    cors::{self, CorsLayer},
+    trace::TraceLayer,
+};
 use tracing_subscriber::prelude::*;
 
 use hypr_analytics::AnalyticsClientBuilder;
@@ -49,6 +53,12 @@ fn app() -> Router {
         .route("/health", axum::routing::get(|| async { "ok" }))
         .route("/openapi.json", axum::routing::get(openapi_json))
         .merge(protected_routes)
+        .layer(
+            CorsLayer::new()
+                .allow_origin(cors::Any)
+                .allow_methods(cors::Any)
+                .allow_headers(cors::Any),
+        )
         .layer(
             ServiceBuilder::new()
                 .layer(NewSentryLayer::<Request<Body>>::new_from_top())

apps/ai/src/openapi.rs

@@ -1,4 +1,5 @@
-use utoipa::OpenApi;
+use utoipa::openapi::security::{ApiKey, ApiKeyValue, Http, HttpAuthScheme, SecurityScheme};
+use utoipa::{Modify, OpenApi};
 
 #[derive(OpenApi)]
 #[openapi(
@@ -10,7 +11,8 @@ use utoipa::OpenApi;
     tags(
         (name = "stt", description = "Speech-to-text transcription endpoints"),
         (name = "llm", description = "LLM chat completions endpoints")
-    )
+    ),
+    modifiers(&SecurityAddon)
 )]
 pub struct ApiDoc;
 
@@ -25,3 +27,29 @@ pub fn openapi() -> utoipa::openapi::OpenApi {
 
     doc
 }
+
+struct SecurityAddon;
+
+impl Modify for SecurityAddon {
+    fn modify(&self, openapi: &mut utoipa::openapi::OpenApi) {
+        if let Some(components) = openapi.components.as_mut() {
+            components.add_security_scheme(
+                "bearer_auth",
+                SecurityScheme::Http(
+                    Http::builder()
+                        .scheme(HttpAuthScheme::Bearer)
+                        .bearer_format("JWT")
+                        .description(Some("Supabase JWT token"))
+                        .build(),
+                ),
+            );
+            components.add_security_scheme(
+                "device_fingerprint",
+                SecurityScheme::ApiKey(ApiKey::Header(ApiKeyValue::with_description(
+                    "x-device-fingerprint",
+                    "Optional device fingerprint for analytics",
+                ))),
+            );
+        }
+    }
+}