Refactor CORS config; add architectural commentary

Refactored CORS setup to be environment-aware, restricting origins in production and relaxing in development. Added extensive comments and discussion on service and repository layer design, including clean architecture best practices and CQRS/MediatR considerations. No changes to business logic; documentation and intent clarified for maintainers.
2026-01-19 11:17:36 +01:00
parent 45e5327148
commit d608ab1a6d
3 changed files with 30 additions and 5 deletions
--- a/DbFirst.API/Program.cs
+++ b/DbFirst.API/Program.cs
@@ -14,20 +14,22 @@ builder.Services.AddEndpointsApiExplorer();
 builder.Services.AddSwaggerGen();

 // TODO: allow listed origins configured in appsettings.json
+// In any case, dont let them to free to use without cors. if there is no origin specified, block all.
+// In development you can keep it easy.
 builder.Services.AddCors(options =>
-{
-    var origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? Array.Empty<string>();
+{    
    options.AddDefaultPolicy(policy =>
    {
-        if (origins.Length > 0)
+        if(builder.Environment.IsDevelopment())
        {
-            policy.WithOrigins(origins)
+            policy.AllowAnyOrigin()
                  .AllowAnyHeader()
                  .AllowAnyMethod();
        }
        else
        {
-            policy.AllowAnyOrigin()
+            var origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? [];
+            policy.WithOrigins(origins)
                  .AllowAnyHeader()
                  .AllowAnyMethod();
        }