feat(settings): proper CORS in production

If the backend starts in production mode with no `frontend_url` is set, immediately panic and stop.
2026-06-01 23:34:34 +02:00
parent afd399b84f
commit b38e6110d2
1 changed files with 13 additions and 2 deletions
@@ -80,11 +80,22 @@ impl From<Application> for RunnableApplication {
            // Use very high limits to effectively disable rate limiting
            RateLimitConfig::new(u32::MAX, 1)
        };
-
+        let frontend_url = value.settings.frontend_url.clone();
+        let cors = if value.settings.debug {
+            Cors::new()
+        } else {
+            if !cfg!(test) {
+                assert!(
+                    !frontend_url.is_empty(),
+                    "CORS: frontend_url must be configured in production"
+                );
+            }
+            Cors::new().allow_origin(frontend_url)
+        };
        let app = value
            .app
            .with(RateLimit::new(&rate_limit_config))
-            .with(Cors::new())
+            .with(cors)
            .data(value.settings);

        let server = value.server;