infra: add ALLOW_ORIGIN_REGEX for Vercel preview deploy CORS (OPE-56)

DevanshuNEU · DevanshuNEU · commit 8b97d279531a · 2026-03-01T11:22:40.000-05:00
Vercel preview deploys get dynamic URLs like:
  opencodeintel-git-feat-xxx.vercel.app

These need to call the Railway backend but get CORS blocked because
ALLOWED_ORIGINS only has the production domain.

FastAPI CORSMiddleware supports allow_origin_regex -- now configurable
via ALLOW_ORIGIN_REGEX env var. Set on Railway to:
  https://.*\.vercel\.app

This allows all Vercel preview URLs to call the backend while keeping
the explicit ALLOWED_ORIGINS list for production.

Also added GITHUB_TOKEN to optional startup vars (used by /repos/analyze).
diff --git a/.env.example b/.env.example
@@ -40,6 +40,9 @@ GITHUB_REDIRECT_URI=http://localhost:3000/auth/github/callback
 # CORS Configuration (Security)
 # Comma-separated list of allowed origins
 ALLOWED_ORIGINS=http://localhost:3000
+# Regex for dynamic CORS origins (Vercel preview deploys)
+# Set on Railway to allow PR preview URLs to call the backend
+# ALLOW_ORIGIN_REGEX=https://.*\.vercel\.app
 
 # Redis (auto-configured in Docker, set REDIS_URL in Railway)
 REDIS_HOST=redis
diff --git a/backend/config/startup_checks.py b/backend/config/startup_checks.py
@@ -29,6 +29,8 @@
     ("GITHUB_CLIENT_ID", "GitHub OAuth client ID", "GitHub repo import disabled"),
     ("GITHUB_CLIENT_SECRET", "GitHub OAuth client secret", "GitHub repo import disabled"),
     ("DISCORD_FEEDBACK_WEBHOOK", "Discord webhook for feedback", "Feedback notifications disabled"),
+    ("ALLOW_ORIGIN_REGEX", "CORS regex for preview deploys", "Only explicit origins allowed"),
+    ("GITHUB_TOKEN", "GitHub API token for repo analysis", "Using unauthenticated rate limit (60/hr)"),
 ]
 
 
diff --git a/backend/main.py b/backend/main.py
@@ -75,9 +75,13 @@ async def dispatch(self, request: Request, call_next):
 app.add_middleware(RequestSizeLimitMiddleware)
 
 ALLOWED_ORIGINS = os.getenv("ALLOWED_ORIGINS", "http://localhost:3000").split(",")
+# Allow Vercel preview deploys (dynamic subdomains) so PRs can be tested
+# against the production backend without CORS issues
+ALLOW_ORIGIN_REGEX = os.getenv("ALLOW_ORIGIN_REGEX", "")
 app.add_middleware(
     CORSMiddleware,
     allow_origins=ALLOWED_ORIGINS,
+    allow_origin_regex=ALLOW_ORIGIN_REGEX or None,
     allow_credentials=True,
     allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     allow_headers=["Authorization", "Content-Type"],

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@`
`29`	`29`	`("GITHUB_CLIENT_ID", "GitHub OAuth client ID", "GitHub repo import disabled"),`
`30`	`30`	`("GITHUB_CLIENT_SECRET", "GitHub OAuth client secret", "GitHub repo import disabled"),`
`31`	`31`	`("DISCORD_FEEDBACK_WEBHOOK", "Discord webhook for feedback", "Feedback notifications disabled"),`
	`32`	`+ ("ALLOW_ORIGIN_REGEX", "CORS regex for preview deploys", "Only explicit origins allowed"),`
	`33`	`+ ("GITHUB_TOKEN", "GitHub API token for repo analysis", "Using unauthenticated rate limit (60/hr)"),`
`32`	`34`	`]`
`33`	`35`
`34`	`36`