From 13855f2d296f26d9b443dc2bf9c035dc4abda264 Mon Sep 17 00:00:00 2001
From: lucaskmpz <lucasclmaia0@gmail.com>
Date: Fri, 23 Jan 2026 23:32:30 -0300
Subject: [PATCH] feat: enabling CORS to allow requisitions from frontend

---
 inventory_api/settings.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/inventory_api/settings.py b/inventory_api/settings.py
index 0ffbffb..7fe4902 100644
--- a/inventory_api/settings.py
+++ b/inventory_api/settings.py
@@ -38,9 +38,12 @@
     'django.contrib.messages',
     'django.contrib.staticfiles',
     'entities',
+    'corsheaders',
 ]
 
 MIDDLEWARE = [
+    'corsheaders.middleware.CorsMiddleware',
+    # keep CorsMiddleware as high as possible (before CommonMiddleware)
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
@@ -116,3 +119,20 @@
 # https://docs.djangoproject.com/en/6.0/howto/static-files/
 
 STATIC_URL = 'static/'
+
+# CORS settings: use environment variable CORS_ALLOWED_ORIGINS (comma-separated) in production
+import os
+
+_cors_origins = os.environ.get('CORS_ALLOWED_ORIGINS')
+if _cors_origins:
+    CORS_ALLOWED_ORIGINS = [u.strip() for u in _cors_origins.split(',') if u.strip()]
+else:
+    # safe default for development when using a local frontend dev server
+    CORS_ALLOWED_ORIGINS = [
+        'http://localhost:5173',
+        'http://127.0.0.1:5173',
+    ]
+
+# If you need cookie authentication across origins enable credentials
+# CORS_ALLOW_CREDENTIALS = True
+