Update CORS config; add architecture discussion comments

- Make CORS policy environment-aware: allow any origin in development, restrict to configured origins in production. - Add detailed comments in CatalogService.cs and ICatalogRepository.cs discussing generic CRUD services, CQRS with MediatR, and repository interface placement, including both Copilot's and Hakan's perspectives. - No functional changes to service or repository logic.
2026-01-19 14:48:55 +01:00
parent 0af0c4589d d608ab1a6d
commit 8d3783cfec
3 changed files with 65 additions and 7 deletions
--- a/DbFirst.API/Program.cs
+++ b/DbFirst.API/Program.cs
@@ -14,20 +14,22 @@ builder.Services.AddEndpointsApiExplorer();
 builder.Services.AddSwaggerGen();

 // TODO: allow listed origins configured in appsettings.json
+// In any case, dont let them to free to use without cors. if there is no origin specified, block all.
+// In development you can keep it easy.
 builder.Services.AddCors(options =>
-{
-    var origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? Array.Empty<string>();
+{    
    options.AddDefaultPolicy(policy =>
    {
-        if (origins.Length > 0)
+        if(builder.Environment.IsDevelopment())
        {
-            policy.WithOrigins(origins)
+            policy.AllowAnyOrigin()
                  .AllowAnyHeader()
                  .AllowAnyMethod();
        }
        else
        {
-            policy.AllowAnyOrigin()
+            var origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? [];
+            policy.WithOrigins(origins)
                  .AllowAnyHeader()
                  .AllowAnyMethod();
        }