ulysses/core
Marius 04d6a5ccaa
Fix: CORS preflight 401'd by AuthMiddleware before CORSMiddleware (#3262)
AuthMiddleware is the outermost middleware, so a credential-less CORS preflight
(OPTIONS + Access-Control-Request-Method) was rejected with 401 before
CORSMiddleware could answer it. That blocks every cross-origin browser/WebView
client: the preflight fails, so the real request is never sent.

Let a genuine preflight through at the top of AuthMiddleware.dispatch via a pure,
unit-tested predicate (core.middleware.is_cors_preflight). Precise -- only
OPTIONS carrying Access-Control-Request-Method; a credentialed request is never
matched -- and no data access.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-07 15:23:23 +02:00
..
__init__.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
atomic_io.py Add native Windows compatibility layer 2026-06-01 15:09:47 +09:00
auth.py fix: avoid double bcrypt on login by using create_session_trusted (#3236) 2026-06-07 15:10:53 +02:00
constants.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
database.py feat(search): unify session transcript search (#2877) 2026-06-05 18:08:31 -06:00
exceptions.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
middleware.py Fix: CORS preflight 401'd by AuthMiddleware before CORSMiddleware (#3262) 2026-06-07 15:23:23 +02:00
models.py fix: exclude slash-command/setup messages from LLM context (#2634) (#2640) 2026-06-04 21:42:23 +02:00
platform_compat.py Fix Windows Cookbook background tasks, exit statuses, and empty SSH logs wrapper (#1389) 2026-06-05 14:41:07 +02:00
session_manager.py Fix session cleanup cutoff timezone (#2488) 2026-06-05 09:52:34 +02:00