diff --git a/app/settings.py b/app/settings.py index ccf0586..1d74bdc 100644 --- a/app/settings.py +++ b/app/settings.py @@ -24,8 +24,8 @@ class Settings(pydantic_settings.BaseSettings): swagger_offline_docs: bool = True cors_allowed_origins: list[str] = ["http://localhost:5173"] - cors_allowed_methods: list[str] = [""] - cors_allowed_headers: list[str] = [""] + cors_allowed_methods: list[str] = ["*"] + cors_allowed_headers: list[str] = ["*"] cors_exposed_headers: list[str] = [] request_max_body_size: int = 1024 * 1024 # 1MB limit diff --git a/tests/test_cors.py b/tests/test_cors.py new file mode 100644 index 0000000..02565e7 --- /dev/null +++ b/tests/test_cors.py @@ -0,0 +1,19 @@ +from typing import TYPE_CHECKING + + +if TYPE_CHECKING: + from httpx import AsyncClient + + +async def test_cors_preflight_allows_write_methods(client: AsyncClient) -> None: + response = await client.options( + "/api/decks/", + headers={ + "Origin": "http://localhost:5173", + "Access-Control-Request-Method": "POST", + }, + ) + + allow_methods = response.headers.get("access-control-allow-methods", "") + assert "POST" in allow_methods + assert "PUT" in allow_methods