AuthMiddleware is the outermost middleware, so a credential-less CORS preflight (OPTIONS + Access-Control-Request-Method) was rejected with 401 before CORSMiddleware could answer it. That blocks every cross-origin browser/WebView client: the preflight fails, so the real request is never sent. Let a genuine preflight through at the top of AuthMiddleware.dispatch via a pure, unit-tested predicate (core.middleware.is_cors_preflight). Precise -- only OPTIONS carrying Access-Control-Request-Method; a credentialed request is never matched -- and no data access. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| atomic_io.py | ||
| auth.py | ||
| constants.py | ||
| database.py | ||
| exceptions.py | ||
| middleware.py | ||
| models.py | ||
| platform_compat.py | ||
| session_manager.py | ||