Skip to content

chore(host): point default CORS allow-list at the React client origins#1324

Merged
iammukeshm merged 1 commit into
fullstackhero:mainfrom
marcelo-maciel:chore/cors-allowedorigins-react
Jul 3, 2026
Merged

chore(host): point default CORS allow-list at the React client origins#1324
iammukeshm merged 1 commit into
fullstackhero:mainfrom
marcelo-maciel:chore/cors-allowedorigins-react

Conversation

@marcelo-maciel

Copy link
Copy Markdown
Contributor

What

CorsOptions.AllowedOrigins in appsettings.json listed https://localhost:4200 (Angular's default dev port) and https://localhost:7140, neither of which any client in this repo uses.

The two front-ends the kit actually ships and runs (via the Aspire AppHost) are:

  • clients/adminhttp://localhost:5173
  • clients/dashboardhttp://localhost:5174

This replaces the stale entries with the real React dev origins so the default configuration matches the apps out of the box.

Note

This touches the same AllowedOrigins block as #1323 (per-request front-end origin resolution), which adds :5173/:5174 on top of the existing entries. Whichever merges first, the other will need a trivial rebase of this one array. Happy to sequence them however you prefer.

`CorsOptions.AllowedOrigins` still listed `https://localhost:4200` (Angular)
and `https://localhost:7140`, neither of which any shipped client uses. The
two front-ends this kit runs are `clients/admin` (http://localhost:5173) and
`clients/dashboard` (http://localhost:5174). List those instead so the default
dev config actually matches the apps.
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@iammukeshm iammukeshm left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct — these are the two origins the kit actually serves (admin :5173, dashboard :5174); the 4200/7140 entries were stale. Merging.

@iammukeshm iammukeshm merged commit 71a1c47 into fullstackhero:main Jul 3, 2026
16 checks passed
marcelo-maciel added a commit to marcelo-maciel/dotnet-starter-kit that referenced this pull request Jul 4, 2026
Address review on fullstackhero#1323. Replace the CorsOptions-coupled, throw-on-miss
OriginResolver with a framework-level front-end origin resolver, so any module
that builds user-facing links (Identity today; Notifications/Billing/Tickets
next) resolves them the same way.

- New FSH.Framework.Web.Frontend: FrontendOptions (AllowedOrigins + DefaultOrigin)
  + IFrontendOriginResolver/FrontendOriginResolver. Validated at startup
  (ValidateOnStart) so a deployment missing both fails loud on boot instead of
  500-ing on the first password-reset — resolves the silent CorsOptions.AllowAll
  and empty-Production-list traps.
- ResolveForCurrentRequest() (self-service: forgot-password, self-register):
  validates the Origin header against the allow-list, returns the canonical
  entry (not the client's casing), falls back to DefaultOrigin when no header is
  present (curl / Scalar / mobile / server-to-server), and throws a 400-mapped
  CustomException on a present-but-forged origin (was InvalidOperationException
  -> 500). Matching is component-wise via Uri (port exact).
- ResolveDefault() (operator-driven: register, resend-confirmation): targets the
  recipient's app via DefaultOrigin instead of the operator's Origin, so a
  tenant user provisioned from the admin app no longer gets a link into :5173.
  Also serves background jobs that have no HttpContext.
- Dedup: ApiOrigin() folded into IRequestContext.Origin (its existing contract);
  RequestContextService owns the config-first/request-host logic and
  UserProfileService reads IRequestContextService.Origin for avatar URLs.
- appsettings: FrontendOptions (dev 5173/5174 + default 5174; Production empty =
  deploy requirement). Rebased onto main (fullstackhero#1324 CORS allow-list).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants