I have an app that uses a FastAPI backend and a Next.js frontend. In development and on production with stable origins, I am able to use the CORSMiddleware with no issues. However, I have deployed the Next.js frontend with Vercel, and want to take advantage of the automatic Preview deployments that Vercel makes with each git commit to allow for staging-type qualitative testing and sanity checks.
I'm running into CORS issues on the Preview deployments: since each Preview deployment uses an auto-generated URL of the pattern: <project-name>-<unique-hash>-<scope-slug>.vercel.app
, I can't add them directly to the allow_origins argument of the CORSMiddleware. Instead I am trying to add the pattern to the allow_origin_regex argument.
I am very new to regex, but was able to figure out a pattern that I've tested to work in REPL. However, because I'm having issues, I've switched to use an ultra-permissive regex of '.*' just to get anything to work but that has failed also.
main.py (relevant portions)
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
app = FastAPI()
origins = [
"http://localhost",
"http://localhost:8080",
"http://localhost:3000",
"https://my-project-name.vercel.app"
]
app.add_middleware(
CORSMiddleware,
allow_origins=origins,
allow_origin_regex=".*",
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
I've looked at the FastAPI/Starlette cors.py file to see how it ingests and uses the origin regex and don't see where the problem would be. I've tested the same methods in REPL with no issues. I'm at a loss as to the next avenue to investigate in order to resolve this issue. Any assistance or pointers or "hey dummy you forgot this" comments are welcome.
CodePudding user response:
You could use:
allow_origin_regex='https://.*\.vercel\.app'
The example below is based on how FastAPI/Starlette's CORSMiddleware
works internally (see implementation here). The example shows that using the above regex, a match for an origin such as https://my-project-name.vercel.app
would be found.
import re
origin = 'https://my-project-name.vercel.app'
allow_origin_regex = 'https://.*\.vercel\.app'
compiled_allow_origin_regex = re.compile(allow_origin_regex)
if (compiled_allow_origin_regex is not None
and compiled_allow_origin_regex.fullmatch(origin)):
print('Math found')
else:
print('No match found')
Also, please make sure to specify the correct protocol (e.g., http
, https
) and port(80
, 8000
, 3000
) in allow_origin_regex
.
CodePudding user response:
I hesitate to admit how stupid the answer to this actually was once I realized my mistake, but wanted to be intellectually honest and provide an update just in case anyone else has a similar blank and runs into this down the line.
I'm new to anything frontend and development in general for the most part, and had never really dealt with CORS before. I was so concerned with getting the Preview deployments going on the frontend, and checking the auto-built Preview deployments on Vercel, that I forgot where I was actually making changes. I have the frontend and backend of my project as subdirectories within the same repo, so each git push of the backend code causes an automatic Vercel deployment, and I just blanked that it wouldn't cause an update of the actual FastAPI code.
As soon as I realized and pushed the changes to my backend, everything started working as it should.
I marked the other answer as correct because it was 100% correct in answering the question I asked, but providing this as it's the answer to the problem of where I made the real mistake.