feat(security): add CORS and TrustedHost middlewares

google-labs-jules[bot] · lgcorzo · google-labs-jules[bot] · commit b0d694bbd50b · 2026-02-13T20:43:11.000Z
- Added `CORSMiddleware` and `TrustedHostMiddleware` to `kafka_app.py`.
- Configured `ALLOWED_ORIGINS` and `ALLOWED_HOSTS` from environment variables.
- Implemented logic to disable `allow_credentials` when `ALLOWED_ORIGINS` contains `*`.
- Added test `tests/controller/test_middleware.py` to verify middleware configuration.

Co-authored-by: lgcorzo &lt;46710567+lgcorzo@users.noreply.github.com&gt;
diff --git a/src/regression_model_template/controller/kafka_app.py b/src/regression_model_template/controller/kafka_app.py
@@ -12,6 +12,8 @@
 import uvicorn
 import pandas as pd
 from fastapi import FastAPI, HTTPException
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware.trustedhost import TrustedHostMiddleware
 from pydantic import BaseModel
 
 from confluent_kafka import Producer, Consumer, KafkaError, Message
@@ -29,6 +31,8 @@
 DEFAULT_OUTPUT_TOPIC = os.getenv("DEFAULT_OUTPUT_TOPIC", "output_topic")
 DEFAULT_FASTAPI_HOST = os.getenv("DEFAULT_FASTAPI_HOST", "127.0.0.1")
 DEFAULT_FASTAPI_PORT = int(os.getenv("DEFAULT_FASTAPI_PORT", 8100))
+ALLOWED_ORIGINS = os.getenv("ALLOWED_ORIGINS", "*").split(",")
+ALLOWED_HOSTS = os.getenv("ALLOWED_HOSTS", "*").split(",")
 LOGGING_FORMAT = "%(asctime)s - %(levelname)s - %(message)s"
 
 
@@ -43,6 +47,23 @@
     version="1.0.0",
 )
 
+# Security Middleware Configuration
+# If ALLOWED_ORIGINS contains *, allow_credentials must be False to prevent browser errors
+allow_credentials = "*" not in ALLOWED_ORIGINS
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=ALLOWED_ORIGINS,
+    allow_credentials=allow_credentials,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+app.add_middleware(
+    TrustedHostMiddleware,
+    allowed_hosts=ALLOWED_HOSTS,
+)
+
 
 # Data Models
 class PredictionRequest(BaseModel):
diff --git a/tests/controller/test_middleware.py b/tests/controller/test_middleware.py
@@ -0,0 +1,29 @@
+from starlette.middleware.cors import CORSMiddleware
+from starlette.middleware.trustedhost import TrustedHostMiddleware
+from regression_model_template.controller.kafka_app import app
+
+
+def test_middleware_configuration():
+    """Test that CORS and TrustedHost middlewares are configured."""
+    middlewares = [m.cls for m in app.user_middleware]
+
+    # Check for CORSMiddleware
+    assert CORSMiddleware in middlewares, "CORSMiddleware is missing"
+
+    # Check for TrustedHostMiddleware
+    assert TrustedHostMiddleware in middlewares, "TrustedHostMiddleware is missing"
+
+
+def test_cors_middleware_options():
+    """Test CORSMiddleware configuration details."""
+    cors_middleware = next((m for m in app.user_middleware if m.cls == CORSMiddleware), None)
+    assert cors_middleware is not None
+
+    # We can inspect the options passed to the middleware
+    # Note: In Starlette/FastAPI, middleware options are stored in .kwargs or .options
+    # For CORSMiddleware, we expect allow_origins, allow_credentials, etc.
+
+    options = cors_middleware.kwargs
+    assert "allow_origins" in options
+    assert "allow_methods" in options
+    assert "allow_headers" in options
