fix(prod): cross-origin auth + lenient CORS env + CLI URL

Ryan · Ryan · commit a396f08be850 · 2026-04-28T02:42:26.000-04:00
Backend
- Settings.cors_origins now uses Annotated[..., NoDecode] + a field
  validator so the CORS_ORIGINS env var accepts JSON, comma-separated,
  or single-value forms instead of erroring with SettingsError.
- Add session_cookie_samesite setting; auth callback uses it instead
  of the hardcoded "lax" so we can set "none" in cross-site prod
  (dploy.ryantanen.com -&gt; *.modal.run) while keeping "lax" locally.
- .env.example documents both new keys.

CLI
- Bundle config bakes in the stable modal deploy URL
  (hackprinceton--dploy-backend-fastapi-app.modal.run) instead of the
  ephemeral modal serve `-dev` URL that regenerates per session.
- Bump @ryantanen/dploy to 0.0.5; v0.0.5 tag triggers npm publish via
  cli-release.yml.

Made-with: Cursor
diff --git a/backend/.env.example b/backend/.env.example
@@ -17,11 +17,20 @@ GITHUB_REDIRECT_URI=http://localhost:8000/api/v1/auth/github/callback
 # Where to redirect the user after a successful login.
 FRONTEND_URL=http://localhost:5173
 
-# Session cookie. Set SESSION_COOKIE_SECURE=true behind HTTPS.
+# Session cookie.
+# - SESSION_COOKIE_SECURE=true behind HTTPS.
+# - SESSION_COOKIE_SAMESITE: "lax" for same-site (local dev, single-origin
+#   prod), "none" when frontend and backend live on different origins
+#   (e.g. dploy.ryantanen.com → *.modal.run). "none" requires SECURE=true.
 SESSION_COOKIE_NAME=dploy_session
 SESSION_COOKIE_SECURE=false
+SESSION_COOKIE_SAMESITE=lax
 SESSION_TTL_HOURS=168
 
+# CORS allowlist for the frontend origin(s). JSON list. Required when the
+# frontend is on a different origin from the backend.
+# CORS_ORIGINS=["https://dploy.ryantanen.com","http://localhost:5173"]
+
 # Used to sign short-lived values like the OAuth `state`. Use a long random
 # string in production: `python -c "import secrets; print(secrets.token_urlsafe(48))"`
 SESSION_SECRET=dev-only-change-me
diff --git a/backend/app/api/routes/auth.py b/backend/app/api/routes/auth.py
@@ -88,7 +88,7 @@ async def github_callback(
         max_age=settings.session_ttl_hours * 3600,
         httponly=True,
         secure=settings.session_cookie_secure,
-        samesite="lax",
+        samesite=settings.session_cookie_samesite,
         path="/",
     )
     return redirect
diff --git a/backend/app/core/config.py b/backend/app/core/config.py
@@ -1,6 +1,9 @@
+import json
 from functools import lru_cache
+from typing import Annotated
 
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import field_validator
+from pydantic_settings import BaseSettings, NoDecode, SettingsConfigDict
 
 
 class Settings(BaseSettings):
@@ -16,11 +19,25 @@ class Settings(BaseSettings):
     api_v1_prefix: str = "/api/v1"
     debug: bool = False
 
-    cors_origins: list[str] = [
+    cors_origins: Annotated[list[str], NoDecode] = [
         "http://localhost:5173",
         "http://localhost:3000",
     ]
 
+    @field_validator("cors_origins", mode="before")
+    @classmethod
+    def _parse_cors_origins(cls, v):
+        if v is None or isinstance(v, list):
+            return v
+        if isinstance(v, str):
+            s = v.strip()
+            if not s:
+                return []
+            if s.startswith("["):
+                return json.loads(s)
+            return [origin.strip() for origin in s.split(",") if origin.strip()]
+        return v
+
     database_url: str = "sqlite+aiosqlite:///./app.db"
     db_echo: bool = False
 
@@ -40,6 +57,7 @@ class Settings(BaseSettings):
     # Session cookie.
     session_cookie_name: str = "dploy_session"
     session_cookie_secure: bool = False
+    session_cookie_samesite: str = "lax"  # "lax" | "strict" | "none"
     session_ttl_hours: int = 24 * 7
 
     # Used to HMAC-sign short-lived values like the OAuth `state` param. Set
diff --git a/cli/package.json b/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@ryantanen/dploy",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "description": "Vercel-style just-deploy-it CLI. Point dploy at a GitHub repo and get a live URL.",
   "type": "module",
   "license": "MIT",
diff --git a/cli/tsup.bundle.config.ts b/cli/tsup.bundle.config.ts
@@ -1,16 +1,6 @@
 import { defineConfig } from "tsup";
 
-// Production bundle config: inlines every npm dep into a single file so the
-// release tarball doesn't need `node_modules` on the user's machine. Used by
-// CI (`pnpm build:bundle`) — local `pnpm build` keeps deps external for fast
-// dev rebuilds.
-//
-// `react-devtools-core` is statically imported by ink/build/devtools.js but
-// only used at runtime when REACT_DEVTOOLS=true. We stub it at build time so
-// the CLI doesn't carry ~6MB of devtools client code we never use.
-// Production backend URL the published bundle points at by default. Users
-// can still override at runtime with `DPLOY_API_URL=...` (see config.ts).
-const PROD_API_URL = "https://hackprinceton--dploy-backend-fastapi-app-dev.modal.run";
+const PROD_API_URL = "https://hackprinceton--dploy-backend-fastapi-app.modal.run";
 
 export default defineConfig({
   entry: ["src/cli.tsx"],

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ async def github_callback(`
`88`	`88`	`max_age=settings.session_ttl_hours * 3600,`
`89`	`89`	`httponly=True,`
`90`	`90`	`secure=settings.session_cookie_secure,`
`91`		`- samesite="lax",`
	`91`	`+ samesite=settings.session_cookie_samesite,`
`92`	`92`	`path="/",`
`93`	`93`	`)`
`94`	`94`	`return redirect`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@ryantanen/dploy",`
`3`		`- "version": "0.0.4",`
	`3`	`+ "version": "0.0.5",`
`4`	`4`	`"description": "Vercel-style just-deploy-it CLI. Point dploy at a GitHub repo and get a live URL.",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"license": "MIT",`