fix(api): CORS headers on 5xx + 404 (not 500) for malformed cloud ids#34
Merged
Merged
Conversation
1. CORS on error responses. Starlette renders unhandled 500s in
ServerErrorMiddleware, which sits OUTSIDE CORSMiddleware — so every gateway
5xx reached the browser with no Access-Control-* headers and looked like a
CORS failure ("Load failed"), masking the real error platform-wide. Added an
Exception (500) handler that returns a clean JSON 500 and re-attaches the
allow-credentials CORS contract (echoes the request Origin iff allow-listed).
Origins are now a single shared constant used by both CORSMiddleware and the
handler. HTTPExceptions already get CORS (handled inside ExceptionMiddleware).
2. Malformed cloud id -> 404, not 500. GET /cloud/agents/{id} and /{id}/runs
threw an unhandled asyncpg "invalid input syntax for type uuid" (e.g. the
frontend sending "undefined") -> 500. _get_agent_or_404 now validates the id
is a UUID and returns 404 agent_not_found; the run-by-id endpoints
(status/logs/cancel) likewise guard run_id -> 404 run_not_found. Every
agent-by-id endpoint already routes through _get_agent_or_404, so all are
covered.
Verified in isolation: a forced 500 returns Access-Control-Allow-Origin:
https://wayforth.io; a bad id returns 404 (also with CORS).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
1. CORS on error responses. Unhandled 500s render in
ServerErrorMiddleware(outsideCORSMiddleware), so every 5xx reached the browser with noAccess-Control-*headers — surfacing as a generic CORS/"Load failed" error that masked every server error platform-wide. Added anExceptionhandler that returns a clean JSON 500 with the allow-credentials CORS contract (echoes the request Origin iff allow-listed). Origins are now one shared constant.2. Malformed id → 404, not 500.
GET /cloud/agents/{id}and/{id}/runsthrew an unhandled asyncpginvalid input syntax for type uuidon a non-UUID id (e.g. "undefined")._get_agent_or_404now validates the id → 404; run-by-id endpoints guardrun_id→ 404.Verified in isolation: forced 500 →
Access-Control-Allow-Origin: https://wayforth.io; bad id → 404.🤖 Generated with Claude Code