Release 1.3.1: fix prod CORS startup validation#566
Merged
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Review — Release 1.3.1: fix prod CORS startup validation
Hotfix is correct and well-scoped. The root cause (1.3.0 added ValidateOnStart on Cors:Origins for non-Development environments but no compose file supplied it) is properly addressed by injecting the origins at the compose layer.
What was checked
- Binding convention —
Cors__Origins__0/1/2is the correct ASP.NET Core env-var syntax for indexed array elements;FrontendCorsOptionsbinds fromCors:*and is mapped asstring[]. Format is valid. - Scheme correctness — prod uses HTTPS, local (
compose.yaml) and QA (compose.qa.yaml) use HTTP on localhost. Matches the actual deployments. - Test coverage —
CorsStartupIntegrationTestsalready covers both the empty-list boot failure and the allow-listed-origin path; no new tests needed for a compose-only change. compose.dev.yaml— correctly left untouched: it setsASPNETCORE_ENVIRONMENT: Development, which skips the strict guard (only a warning is logged).
Suggestions (non-bloquantes)
compose.prod.yamlcomment — the sentence "The public site is same-origin via the web SSR proxy, but the policy must still list every real frontend host" is slightly misleading: if SSR truly proxies all browser requests, CORS wouldn't apply to those requests at all. The real reason to list the domains is for any direct-to-API call (admin panel, mobile, etc.). Minor wording nit.compose.qa.yaml— a singlehttp://localhost:3001is fine for CI/manual QA, but if the QA stack ever gets a TLS-terminated host, the origin will need updating. Low risk since it's a dev environment.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hotfix on top of 1.3.0.
Cors:Originsin the non-dev compose files (fix(deploy): supply Cors:Origins in non-dev compose so the API boots #565 / fix(deploy): supply Cors:Origins in non-dev compose so the API boots #564). 1.3.0 added startup validation requiringCors:Originsnon-empty in Production, but no compose set it → the API crash-looped on boot. Adds the origins tocompose.prod.yaml/compose.qa.yaml/compose.yaml.