Skip to content

fix: add permissive CORS for public API endpoints #5026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 5, 2025
Merged

fix: add permissive CORS for public API endpoints #5026

merged 2 commits into from
Nov 5, 2025
+86 −28

Conversation

@voodoohop
Copy link
Member

@voodoohop voodoohop commented Nov 5, 2025

Problem

Frontend at https://pollinations.ai was blocked by CORS when fetching from /api/generate/image/models

Root Cause

  • Main app CORS only allowed specific origins (enter.pollinations.ai, beta.pollinations.ai)
  • Duplicate CORS middleware in proxy.ts was being overridden
  • OPTIONS preflight requests failed for external domains

Solution

  • Add permissive CORS (origin: '*') for /api/generate/* public API routes
  • Remove duplicate CORS from proxy.ts (now handled at app level)
  • Add pollinations.ai to restrictive CORS for auth/dashboard routes
  • Add OPTIONS preflight test to prevent regression

Changes

  • src/index.ts: Split CORS into permissive (public API) and restrictive (auth)
  • src/routes/proxy.ts: Remove duplicate CORS middleware
  • test/integration/public-endpoints.test.ts: Add OPTIONS test

Testing

✅ All 5 tests passing including new OPTIONS preflight test

Fixes CORS errors for any external website using the public API

@voodoohop
fix: add permissive CORS for public API endpoints
e61b8db 
- Add separate CORS config for /api/generate/* with origin: '*'
- Remove duplicate CORS middleware from proxy.ts
- Add pollinations.ai to restrictive CORS allowlist
- Add OPTIONS preflight test to prevent regression
- Fixes CORS errors from pollinations.ai frontend
@github-project-automation github-project-automation bot moved this to To Do in Dev Nov 5, 2025
@netlify
Copy link

netlify bot commented Nov 5, 2025
edited
Loading

Deploy Preview for pollinations ready!

Name Link
🔨 Latest commit bdbe0fd
🔍 Latest deploy log https://app.netlify.com/projects/pollinations/deploys/690abfc5c82ae300085d27b5
😎 Deploy Preview https://deploy-preview-5026--pollinations.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@voodoohop
Copy link
Member Author

voodoohop commented Nov 5, 2025

@claude can you review concisely in bulles

@claude
Copy link
Contributor

claude bot commented Nov 5, 2025
edited
Loading

Claude finished @voodoohop's task —— View job

Code Review

  • Read changed files
  • Analyze CORS implementation
  • Review tests and documentation
  • Provide feedback

CORS Configuration (src/index.ts):

  • Clean split: Permissive (*) for public API, restrictive for auth - correct approach
  • Middleware order: Public CORS before restrictive ensures correct matching
  • ⚠️ pollinations.ai in restrictive CORS: Now allows credentials from pollinations.ai, but public API routes won't use it (they match first) - redundant but harmless

Proxy Routes (src/routes/proxy.ts):

  • Duplicate removal: Correctly removed duplicate CORS middleware (was being overridden anyway)

Tests (test/integration/public-endpoints.test.ts):

  • OPTIONS test added: Validates preflight for CORS - excellent regression prevention
  • Expects * origin: Correct for permissive public API

Documentation (AGENTS.md):

  • CORS note added: Documents the fix and expected behavior

Overall:

  • ✅ Root cause correctly identified and fixed
  • ✅ Tests passing with new coverage
  • ✅ Solution follows security best practices (public endpoints open, auth endpoints restricted)

Minor note: Line 51 in src/index.ts adding pollinations.ai to restrictive CORS is technically unused (public API routes match first), but doesn't hurt.

--- | View PR

@voodoohop voodoohop merged commit e6852ae into main Nov 5, 2025
4 of 7 checks passed
@github-project-automation github-project-automation bot moved this from To Do to Done in Dev Nov 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Dev
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@voodoohop