feat(config): add CORS_ORIGINS configuration for API

.env.example

@@ -22,7 +22,7 @@ RABBITMQ_PASSWORD=rune_password
 # ===========================================
 # Environment (dev, prod, etc.)
 ENVIRONMENT=prod
-
+CORS_ORIGINS=http://frontend:3000,http://localhost:3000
 # JWT Settings - CHANGE THESE IN PRODUCTION!
 JWT_SECRET_KEY=gdfshdshdhsdghrbrhhjtjjrnnrrwh
 JWT_ALGORITHM=HS256

docker-compose.yml

@@ -74,6 +74,7 @@ services:
       REDIS_PORT: 6379
       REDIS_DB: 0
       # Application Settings
+      CORS_ORIGINS: ${CORS_ORIGINS:-http://frontend:3000}
       ENVIRONMENT: ${ENVIRONMENT:-prod}
       APP_NAME: "Rune API"
       # JWT Settings (use secrets from .env or defaults for development)

services/api/.env.example

@@ -1,6 +1,8 @@
 # Application Settings
 ENVIRONMENT=prod
 APP_NAME="Rune API"
+#comma separated list of allowed origins or single origin without a comma
+CORS_ORIGINS=http://localhost:3000,http://frontend:3000,http://127.0.0.1:3000 
 
 
 # Database Settings

services/api/.env.test

@@ -1,6 +1,7 @@
 # Test Environment Configuration
 ENVIRONMENT=dev
 APP_NAME=Rune API Test
+CORS_ORIGINS=http://localhost:3000,http://frontend:3000,http://127.0.0.1:3000
 
 # Test Database
 POSTGRES_USER=test_user

services/api/src/app.py

@@ -43,7 +43,7 @@ async def lifespan(app: FastAPI):
 )
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],  # In production, specify allowed origins
+    allow_origins=[origin.strip() for origin in settings.cors_origins.split(",")],
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],

services/api/src/core/config.py

@@ -21,6 +21,9 @@ class Settings(BaseSettings):
     # Application Settings
     environment: Environment = Environment.DEV
     app_name: str = "Rune API"
+    cors_origins: str = (
+        "http://localhost:3000,http://frontend:3000,http://127.0.0.1:3000"
+    )
 
     # Database Settings
     postgres_user: str = "postgres"