Marius 04d6a5ccaa Fix: CORS preflight 401'd by AuthMiddleware before CORSMiddleware (#3262) ...

AuthMiddleware is the outermost middleware, so a credential-less CORS preflight
(OPTIONS + Access-Control-Request-Method) was rejected with 401 before
CORSMiddleware could answer it. That blocks every cross-origin browser/WebView
client: the preflight fails, so the real request is never sent.

Let a genuine preflight through at the top of AuthMiddleware.dispatch via a pure,
unit-tested predicate (core.middleware.is_cors_preflight). Precise -- only
OPTIONS carrying Access-Control-Request-Method; a credentialed request is never
matched -- and no data access.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-07 15:23:23 +02:00

..

__init__.py

Odysseus v1.0

2026-05-31 23:58:26 +09:00

atomic_io.py

Add native Windows compatibility layer

2026-06-01 15:09:47 +09:00

auth.py

fix: avoid double bcrypt on login by using create_session_trusted (#3236)

2026-06-07 15:10:53 +02:00

constants.py

Odysseus v1.0

2026-05-31 23:58:26 +09:00

database.py

feat(search): unify session transcript search (#2877)

2026-06-05 18:08:31 -06:00

exceptions.py

Odysseus v1.0

2026-05-31 23:58:26 +09:00

middleware.py

Fix: CORS preflight 401'd by AuthMiddleware before CORSMiddleware (#3262)

2026-06-07 15:23:23 +02:00

models.py

fix: exclude slash-command/setup messages from LLM context (#2634) (#2640)

2026-06-04 21:42:23 +02:00

platform_compat.py

Fix Windows Cookbook background tasks, exit statuses, and empty SSH logs wrapper (#1389)

2026-06-05 14:41:07 +02:00

session_manager.py

Fix session cleanup cutoff timezone (#2488)

2026-06-05 09:52:34 +02:00