Restrict CORS middleware to localhost and Tauri origins (#640)

backend/app/logging/setup_logging.py

@@ -243,16 +243,16 @@ def emit(self, record: logging.LogRecord) -> None:
         # Create a message that includes the original module in the format
         msg = record.getMessage()
 
-        record.msg = f"[{module_name}] {msg}"
-        record.args = ()
-        # Clear exception / stack info to avoid duplicate traces
-        record.exc_info = None
-        record.stack_info = None
-
-        root_logger = logging.getLogger()
-        for handler in root_logger.handlers:
-            if handler is not self:
-                handler.handle(record)
+        # Find the appropriate logger
+        # Prevent recursion: if the module name matches the intercepted loggers,
+        # use a different name to avoid triggering the same handler again.
+        if module_name in ["uvicorn", "asyncio"]:
+            module_name = f"{module_name}_redirect"
+
+        logger = get_logger(module_name)
+
+        # Log the message with our custom formatting
+        logger.log(record.levelno, f"[uvicorn] {msg}")
 
 
 def configure_uvicorn_logging(component_name: str) -> None:

backend/main.py

@@ -105,13 +105,20 @@ def generate_openapi_json():
         logger.error(f"Failed to generate openapi.json: {e}")
 
 
+origins = [
+    "http://localhost:1420",  # Tauri development
+    "http://localhost:5173",  # Vite development
+    "tauri://localhost",  # Tauri production (macOS/Linux)
+    "https://tauri.localhost",  # Tauri production (Windows)
+]
+
 # Add CORS middleware
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],  # Allows all origins
+    allow_origins=origins,  # Whitelist only known localhost origins
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],  # Explicit methods
+    allow_headers=["Content-Type", "Accept", "Authorization"],  # Explicit headers
 )