CORS Issue with Public API

[flvndvd]

Description

We encountered a critical issue with our public API where legitimate requests were being blocked due to overly restrictive CORS handling in our middleware (original PR here).

Root Cause

Our middleware was implementing CORS checks that:

1. Required an Origin header for all requests to /api/v1/* endpoints
2. Blocked requests without an origin header with a 403 error
3. Only allowed requests from front-ext.dust.tt

This caused several problems:

• Backend services using our SDK were blocked (no Origin header)
• Slack connector integration failed (direct server requests)
• Other non-browser API consumers were unable to access the API
• Our own domains (dust.tt, eu.dust.tt) couldn't make browser requests

Impact

This affected:

• Node.js SDK users
• Server-to-server integrations
• Any direct API calls without Origin headers

Solution

We implemented a more nuanced CORS handling approach:

1. Non-CORS Requests

   • Requests without Origin headers now pass through without CORS checks
   • This restores functionality for backend services and SDK users

2. CORS Requests

   • Only apply CORS checks when Origin header is present

3. Headers and Methods

   • Maintained strict header validation for security
   • Properly handle preflight (OPTIONS) requests
   • Set appropriate CORS headers only when needed

Testing

I was able to reproduce locally the issue, and I confirm that this fixes it.

To verify the fix:

1. SDK requests work without CORS headers
2. Browser requests from allowed origins succeed
3. Preflight requests properly validate headers
4. Direct API calls (no Origin) work as before
5. Unauthorized origins are still blocked

Tests

Risk

Deploy Plan