chore(host): point default CORS allow-list at the React client origins#1324
Merged
iammukeshm merged 1 commit intoJul 3, 2026
Merged
Conversation
`CorsOptions.AllowedOrigins` still listed `https://localhost:4200` (Angular) and `https://localhost:7140`, neither of which any shipped client uses. The two front-ends this kit runs are `clients/admin` (http://localhost:5173) and `clients/dashboard` (http://localhost:5174). List those instead so the default dev config actually matches the apps.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
iammukeshm
approved these changes
Jul 3, 2026
iammukeshm
left a comment
Member
There was a problem hiding this comment.
Correct — these are the two origins the kit actually serves (admin :5173, dashboard :5174); the 4200/7140 entries were stale. Merging.
marcelo-maciel
added a commit
to marcelo-maciel/dotnet-starter-kit
that referenced
this pull request
Jul 4, 2026
Address review on fullstackhero#1323. Replace the CorsOptions-coupled, throw-on-miss OriginResolver with a framework-level front-end origin resolver, so any module that builds user-facing links (Identity today; Notifications/Billing/Tickets next) resolves them the same way. - New FSH.Framework.Web.Frontend: FrontendOptions (AllowedOrigins + DefaultOrigin) + IFrontendOriginResolver/FrontendOriginResolver. Validated at startup (ValidateOnStart) so a deployment missing both fails loud on boot instead of 500-ing on the first password-reset — resolves the silent CorsOptions.AllowAll and empty-Production-list traps. - ResolveForCurrentRequest() (self-service: forgot-password, self-register): validates the Origin header against the allow-list, returns the canonical entry (not the client's casing), falls back to DefaultOrigin when no header is present (curl / Scalar / mobile / server-to-server), and throws a 400-mapped CustomException on a present-but-forged origin (was InvalidOperationException -> 500). Matching is component-wise via Uri (port exact). - ResolveDefault() (operator-driven: register, resend-confirmation): targets the recipient's app via DefaultOrigin instead of the operator's Origin, so a tenant user provisioned from the admin app no longer gets a link into :5173. Also serves background jobs that have no HttpContext. - Dedup: ApiOrigin() folded into IRequestContext.Origin (its existing contract); RequestContextService owns the config-first/request-host logic and UserProfileService reads IRequestContextService.Origin for avatar URLs. - appsettings: FrontendOptions (dev 5173/5174 + default 5174; Production empty = deploy requirement). Rebased onto main (fullstackhero#1324 CORS allow-list).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
CorsOptions.AllowedOriginsinappsettings.jsonlistedhttps://localhost:4200(Angular's default dev port) andhttps://localhost:7140, neither of which any client in this repo uses.The two front-ends the kit actually ships and runs (via the Aspire AppHost) are:
clients/admin→http://localhost:5173clients/dashboard→http://localhost:5174This replaces the stale entries with the real React dev origins so the default configuration matches the apps out of the box.
Note
This touches the same
AllowedOriginsblock as #1323 (per-request front-end origin resolution), which adds:5173/:5174on top of the existing entries. Whichever merges first, the other will need a trivial rebase of this one array. Happy to sequence them however you prefer.