Fix auth : CORS outermost + dev rate limit + filtre workspace réactif

- Middleware : CORSMiddleware ajouté en dernier = plus externe = tous les codes de retour (dont 429) portent Access-Control-Allow-Origin → résout "no response / Failed to fetch" sur POST /auth/challenge - Dev mode : rate_limit_auth = RATE_LIMIT_DEFAULT (60/min) au lieu de 10/min → plus de blocage login après quelques reconnexions - app.vue : watcher activeSlug → refetch documents/décisions/protocoles/mandats → le sélecteur de workspace filtre désormais le contenu en temps réel - TDD : 4 tests middleware (RED→GREEN) + doc méthode docs/dev/tdd-methode.md - Régression : 190/190 tests verts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-23 15:51:28 +02:00
parent 79e468b40f
commit fc84600f97
4 changed files with 355 additions and 11 deletions
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -86,8 +86,31 @@ app = FastAPI(


 # ── Middleware stack ──────────────────────────────────────────────────────
-# Middleware is applied in reverse order: last added = first executed.
-# Order: SecurityHeaders -> RateLimiter -> CORS -> Application
+# add_middleware is LIFO: last added = outermost = first to execute on request,
+# last to execute on response (wraps everything inside it).
+#
+# Required order so CORS headers appear on ALL responses including 429:
+#   CORS (outermost) → RateLimiter → SecurityHeaders → Application
+#
+# If RateLimiter were outside CORS, its 429 responses would have no CORS
+# headers and the browser would silently discard them as network errors.
+
+app.add_middleware(SecurityHeadersMiddleware)
+
+# In dev mode, use the default (higher) limit for auth to avoid login lockout
+# during repeated disconnect/reconnect cycles.
+_auth_rate_limit = (
+    settings.RATE_LIMIT_DEFAULT
+    if settings.ENVIRONMENT == "development"
+    else settings.RATE_LIMIT_AUTH
+)
+
+app.add_middleware(
+    RateLimiterMiddleware,
+    rate_limit_default=settings.RATE_LIMIT_DEFAULT,
+    rate_limit_auth=_auth_rate_limit,
+    rate_limit_vote=settings.RATE_LIMIT_VOTE,
+)

 app.add_middleware(
    CORSMiddleware,
@@ -97,15 +120,6 @@ app.add_middleware(
    allow_headers=["*"],
 )

-app.add_middleware(
-    RateLimiterMiddleware,
-    rate_limit_default=settings.RATE_LIMIT_DEFAULT,
-    rate_limit_auth=settings.RATE_LIMIT_AUTH,
-    rate_limit_vote=settings.RATE_LIMIT_VOTE,
-)
-
-app.add_middleware(SecurityHeadersMiddleware)
-

 # ── Routers ──────────────────────────────────────────────────────────────