Skip to content

Fix CORS config: remove duplicate, move localhost to dev only#964

Merged
mbryzek merged 2 commits intomainfrom
fix-cors-config
Mar 4, 2026
Merged

Fix CORS config: remove duplicate, move localhost to dev only#964
mbryzek merged 2 commits intomainfrom
fix-cors-config

Conversation

@mbryzek
Copy link
Collaborator

@mbryzek mbryzek commented Mar 2, 2026

Summary

  • Remove duplicate play.filters.cors.allowedHttpMethods line in base.conf
  • Move http://localhost:5173 from base.conf to devandtest.conf so localhost origin is not allowed in production

Addresses review feedback from #963.

Test plan

  • Verify production config only allows apibuilder.io and apibuilder.org origins
  • Verify local dev still allows localhost:5173 via devandtest.conf override

🤖 Generated with Claude Code

@mbryzek @claude
Fix CORS config: remove duplicate and move localhost to dev only
7a2b6fc 
- Remove duplicate play.filters.cors.allowedHttpMethods line
- Move http://localhost:5173 from base.conf to devandtest.conf so
  localhost origin is not allowed in production

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 2, 2026 23:49
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Play CORS configuration to avoid allowing localhost origins in production and removes redundant config duplication.

Changes:

  • Remove duplicated play.filters.cors.allowedHttpMethods entry from base.conf.
  • Restrict production play.filters.cors.allowedOrigins to the app.apibuilder.io / app.apibuilder.org origins only.
  • Add http://localhost:5173 to CORS allowed origins in devandtest.conf (dev/test only).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
api/conf/base.conf Removes duplicate allowedHttpMethods line and removes localhost from the base (production-inherited) allowed origins list.
api/conf/devandtest.conf Adds a dev/test override for allowedOrigins including http://localhost:5173.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

api/conf/devandtest.conf Outdated
Comment on lines +12 to +17
play.filters.cors.allowedOrigins = [
"https://app.apibuilder.io",
"https://app.apibuilder.org",
"http://localhost:5173"
]

Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

devandtest.conf fully redefines play.filters.cors.allowedOrigins, duplicating the two production origins from base.conf. This can drift if the base list changes (e.g., adding/removing a prod origin) and dev/test won’t automatically inherit it. Prefer appending just the localhost origin to the existing list (e.g., via HOCON list append) so dev/test stays aligned with base by default.

Suggested change
play.filters.cors.allowedOrigins = [
"https://app.apibuilder.io",
"https://app.apibuilder.org",
"http://localhost:5173"
]
play.filters.cors.allowedOrigins += [
"http://localhost:5173"
]

Copilot uses AI. Check for mistakes.
@mbryzek @claude
Use HOCON list append for localhost CORS origin in devandtest
cfbb474 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mbryzek mbryzek merged commit 922f49b into main Mar 4, 2026
1 of 2 checks passed
@mbryzek mbryzek deleted the fix-cors-config branch March 4, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbryzek