feat(middleware): configure CORS from settings in middleware chain

Replace Cors::new() with Cors::from(value.settings.cors.clone()) in the From<Application> for RunnableApplication implementation to use CORS settings from configuration instead of hardcoded defaults. Changes: - Use From<CorsSettings> for Cors trait to build CORS middleware - Add unit test verifying CORS middleware uses settings - Maintain correct middleware order: RateLimit → CORS → Data Ref: T015
2026-01-03 17:50:06 +01:00
parent 5d6c3208cc
commit b620c3d638
3 changed files with 35 additions and 8 deletions
--- a/backend/src/settings/cors.rs
+++ b/backend/src/settings/cors.rs
@@ -194,7 +194,9 @@ mod tests {
    }

    #[test]
-    #[should_panic(expected = "CORS misconfiguration: wildcard origin not allowed with credentials=true")]
+    #[should_panic(
+        expected = "CORS misconfiguration: wildcard origin not allowed with credentials=true"
+    )]
    fn cors_conversion_panics_on_wildcard_with_credentials() {
        let settings = CorsSettings {
            allowed_origins: vec!["*".to_string()],
--- a/backend/src/startup.rs
+++ b/backend/src/startup.rs
@@ -80,10 +80,12 @@ impl From<Application> for RunnableApplication {
            RateLimitConfig::new(u32::MAX, 1)
        };

+        let cors = Cors::from(value.settings.cors.clone());
+
        let app = value
            .app
            .with(RateLimit::new(&rate_limit_config))
-            .with(Cors::new())
+            .with(cors)
            .data(value.settings);

        let server = value.server;
@@ -225,4 +227,27 @@ mod tests {
        assert_eq!(app.host(), "127.0.0.1");
        assert_eq!(app.port(), 8080);
    }
+
+    // T015: Test that CORS middleware is configured from settings
+    #[test]
+    fn runnable_application_uses_cors_from_settings() {
+        // GIVEN: An application with custom CORS settings
+        let mut settings = create_test_settings();
+        settings.cors = crate::settings::CorsSettings {
+            allowed_origins: vec!["http://localhost:5173".to_string()],
+            allow_credentials: false,
+            max_age_secs: 3600,
+        };
+
+        // WHEN: The application is converted to a runnable application
+        let app = Application::build(settings.clone(), None);
+        let _runnable_app = app.make_app();
+
+        // THEN: The middleware chain should use CORS settings from configuration
+        // Note: This is a structural test - actual CORS behavior is tested in integration tests (T016)
+        // The fact that this compiles and runs without panic verifies that:
+        // 1. CORS settings are properly loaded
+        // 2. The From<CorsSettings> trait is correctly implemented
+        // 3. The middleware chain accepts the CORS configuration
+    }
 }