From 7fe53f882a5f1901dc9d07ebb704dfbd0ef20bb6 Mon Sep 17 00:00:00 2001
From: Tomas Kracmar <tomas.kracmar@cqre.net>
Date: Mon, 27 Apr 2026 09:41:28 +0200
Subject: [PATCH] hotfix(v1.7.8): restore CORS wildcard and fix CSP for MSAL
 auth

- Revert automatic CORS wildcard stripping that broke production deployments
  with CORS_ORIGINS=* (now logs a warning but preserves the config)
- Expand CSP headers to allow MSAL auth flows:
  - connect-src: login.microsoftonline.com
  - frame-src: login.microsoftonline.com
  - form-action: login.microsoftonline.com
---
 VERSION         |  2 +-
 backend/main.py | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/VERSION b/VERSION
index 91c74a5..84298f9 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.7.7
+1.7.8
diff --git a/backend/main.py b/backend/main.py
index e83a658..15da6d6 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -52,14 +52,12 @@ logger = structlog.get_logger("aoc.fetcher")
 
 app = FastAPI()
 
-# CORS: reject wildcard in production when auth is enabled
+# CORS: warn if wildcard is used with auth enabled, but do not break deployments
 _effective_cors = CORS_ORIGINS
 if AUTH_ENABLED and "*" in _effective_cors:
     logger.warning(
-        "CORS wildcard (*) is insecure when AUTH_ENABLED=true. "
-        "Removing wildcard. Set CORS_ORIGINS explicitly in production."
+        "CORS wildcard (*) is insecure when AUTH_ENABLED=true. Set CORS_ORIGINS to your actual origin(s) in production."
     )
-    _effective_cors = [o for o in _effective_cors if o != "*"] or ["http://localhost:8000"]
 
 app.add_middleware(CorrelationIdMiddleware)
 app.add_middleware(
@@ -89,13 +87,15 @@ async def cache_control_middleware(request: Request, call_next):
         response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
         response.headers["Pragma"] = "no-cache"
         response.headers["Expires"] = "0"
-    # Basic CSP for the UI and API
+    # Basic CSP for the UI and API (allows MSAL auth flows)
     if request.url.path.startswith("/api/") or request.url.path in ("/", "/index.html"):
         response.headers["Content-Security-Policy"] = (
             "default-src 'self'; "
             "script-src 'self' 'unsafe-inline' cdn.jsdelivr.net alcdn.msauth.net; "
             "style-src 'self' 'unsafe-inline'; "
-            "connect-src 'self'; "
+            "connect-src 'self' https://login.microsoftonline.com; "
+            "frame-src 'self' https://login.microsoftonline.com; "
+            "form-action 'self' https://login.microsoftonline.com; "
             "img-src 'self' data:;"
         )
     return response