From 06a601359c904a77d75b81d11874390652254d27 Mon Sep 17 00:00:00 2001
From: Petar Zivkovic <me@petarzivkovic.com>
Date: Mon, 9 Feb 2026 16:57:50 +0100
Subject: [PATCH] fix: removed duplicate CORS middleware

---
 server/bootstrap.py |  9 ---------
 utils/middleware.py | 15 ++++++++++-----
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/server/bootstrap.py b/server/bootstrap.py
index 17942b85..b0f875e1 100755
--- a/server/bootstrap.py
+++ b/server/bootstrap.py
@@ -1,7 +1,6 @@
 """Application bootstrap helpers for the FastAPI server."""
 
 from fastapi import FastAPI
-from fastapi.middleware.cors import CORSMiddleware
 
 from server import state
 from server.config_schema_router import router as config_schema_router
@@ -13,14 +12,6 @@ from utils.middleware import add_middleware
 def init_app(app: FastAPI) -> None:
     """Apply shared middleware, routers, and global state to ``app``."""
 
-    app.add_middleware(
-        CORSMiddleware,
-        allow_origins=["*"],
-        allow_credentials=True,
-        allow_methods=["*"],
-        allow_headers=["*"],
-    )
-
     add_exception_handlers(app)
     add_middleware(app)
 
diff --git a/utils/middleware.py b/utils/middleware.py
index 3cc40f18..90d4293c 100755
--- a/utils/middleware.py
+++ b/utils/middleware.py
@@ -87,9 +87,9 @@ async def rate_limit_middleware(request: Request, call_next: Callable):
     return response
 
 
-def add_middleware(app: FastAPI):
-    """Add all middleware to the FastAPI application."""
-    # CORS (dev defaults; override via CORS_ALLOW_ORIGINS comma-separated list)
+def add_cors_middleware(app: FastAPI) -> None:
+    """Configure and attach CORS middleware."""
+    # Dev defaults; override via CORS_ALLOW_ORIGINS (comma-separated)
     default_origins = [
         "http://localhost:5173",
         "http://127.0.0.1:5173",
@@ -103,7 +103,6 @@ def add_middleware(app: FastAPI):
         # Helpful in dev: allow localhost/127.0.0.1 on any port
         origin_regex = r"^https?://(localhost|127\.0\.0\.1)(:\d+)?$"
 
-    # Add CORS middleware first to handle preflight requests and allow origins.
     app.add_middleware(
         CORSMiddleware,
         allow_origins=origins,
@@ -115,9 +114,15 @@ def add_middleware(app: FastAPI):
         max_age=600,
     )
 
+
+def add_middleware(app: FastAPI):
+    """Add all middleware to the FastAPI application."""
+    # Attach CORS first to handle preflight requests and allow origins.
+    add_cors_middleware(app)
+
     # Add other middleware
     app.middleware("http")(correlation_id_middleware)
     app.middleware("http")(security_middleware)
     # app.middleware("http")(rate_limit_middleware)  # Enable if needed
     
-    return app
\ No newline at end of file
+    return app