fix: make origin enforcement opt-in

Disable Origin and Referer enforcement by default for the same-compose
setup while keeping ADMIN_ALLOWED_ORIGINS available for stricter deployments.

Author: leolionart

.env.example

@@ -30,15 +30,10 @@ ADMIN_SESSION_TTL_DAYS=30
 ADMIN_SESSION_COOKIE_NAME=cliproxy_admin_session
 ADMIN_SESSION_SECURE_COOKIE=false
 ADMIN_SESSION_SAMESITE=Lax
-# Optional comma-separated allowlist. Leave empty to allow same-origin host automatically.
+# Optional comma-separated allowlist for stricter Origin/Referer checks on auth/admin POST routes.
+# Leave empty to disable Origin enforcement (recommended for the default same-compose setup).
 ADMIN_ALLOWED_ORIGINS=
 
 # Frontend polling interval (seconds)
 VITE_AUTO_REFRESH_SECONDS=60
 VITE_APP_LOGS_PAGE_SIZE=500
-
-# Optional: Lark MCP local setup (for Claude Code .mcp.json)
-LARK_APP_ID=cli_xxx
-LARK_APP_SECRET=your-lark-app-secret
-LARK_DOMAIN=https://open.larksuite.com
-LARK_TOOLSETS=preset.base,preset.task,task.v2.task.get,task.v2.task.list,task.v2.tasklist.list,task.v2.tasklist.tasks

README.md

@@ -86,6 +86,7 @@ Notes:
 - The browser stores only an `HttpOnly` session cookie; the password is never stored in browser storage.
 - If you deploy behind HTTPS, set `ADMIN_SESSION_SECURE_COOKIE=true`.
 - Default host port for PostgREST is now `8418` to avoid common conflicts on `3000`. Override with `POSTGREST_HOST_PORT` if needed.
+- `ADMIN_ALLOWED_ORIGINS` is optional. Leave it empty for the default same-compose setup; set it only if you want stricter Origin/Referer enforcement.
 
 ### 5) Start services
 ```bash

collector/main.py

@@ -204,6 +204,9 @@ def _origin_allowed(origin: str) -> bool:
 
 
 def _validate_same_origin_request() -> Optional[Response]:
+    if not ADMIN_ALLOWED_ORIGINS:
+        return None
+
     origin = _get_request_origin()
     referer = (request.headers.get('Referer') or '').strip()