Fix: CORS preflight 401'd by AuthMiddleware before CORSMiddleware (#3262)

AuthMiddleware is the outermost middleware, so a credential-less CORS preflight (OPTIONS + Access-Control-Request-Method) was rejected with 401 before CORSMiddleware could answer it. That blocks every cross-origin browser/WebView client: the preflight fails, so the real request is never sent. Let a genuine preflight through at the top of AuthMiddleware.dispatch via a pure, unit-tested predicate (core.middleware.is_cors_preflight). Precise -- only OPTIONS carrying Access-Control-Request-Method; a credentialed request is never matched -- and no data access. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 02:05:22 -04:00 · 2026-06-07 14:23:23 +01:00
parent a3784da172
commit 04d6a5ccaa
3 changed files with 49 additions and 1 deletions
@@ -54,7 +54,7 @@ from core.constants import (
    REQUEST_TIMEOUT, OPENAI_API_KEY,
 )
 from core.database import SessionLocal, ApiToken
-from core.middleware import SecurityHeadersMiddleware
+from core.middleware import SecurityHeadersMiddleware, is_cors_preflight
 from core.auth import AuthManager
 from core.exceptions import (
    SessionNotFoundError, InvalidFileUploadError,
@@ -253,6 +253,15 @@ if AUTH_ENABLED:
    class AuthMiddleware(BaseHTTPMiddleware):
        async def dispatch(self, request: Request, call_next):
            path = request.url.path
+            # A genuine CORS preflight (OPTIONS + Access-Control-Request-Method)
+            # carries no credentials by design and must reach CORSMiddleware to be
+            # answered. AuthMiddleware is the outermost middleware, so gating the
+            # preflight on auth 401s it before CORS can respond -- which blocks
+            # every cross-origin browser/WebView client before the real request
+            # is sent. Let real preflights through (only OPTIONS w/ the ACRM
+            # header; never a credentialed request).
+            if is_cors_preflight(request.method, request.headers):
+                return await call_next(request)
            if _is_auth_exempt(path):
                return await call_next(request)
            # In-process internal-tool token bypass. Used by the agent