Fix/cloudrun cors

[SanghunYun95]

Summary by CodeRabbit

릴리스 노트

• 유지보수
  • 채팅 관련 특정 제목 생성 엔드포인트의 분당 요청 허용량 증가
  • 배포 설정 변경으로 서비스의 익명(인증 없는) 접근 허용 활성화
  • 프록시 환경에서의 헤더 처리 신뢰 대역 업데이트로 호환성 개선
  • 허용된 출처 목록 조정으로 CORS 정책 정리

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
philo-rag	Ready	Preview, Comment	Mar 29, 2026 2:19am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 126ef65a-4d74-4f0c-a616-c1a7cf2d0be4

📥 Commits

Reviewing files that changed from the base of the PR and between f0fca5c and de4118e.

📒 Files selected for processing (2)

• backend/Dockerfile
• backend/app/api/routes/chat.py

✅ Files skipped from review due to trivial changes (1)

• backend/Dockerfile

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/app/api/routes/chat.py

---

📝 Walkthrough

Walkthrough

Cloud Run 배포 플래그가 --allow-unauthenticated로 추가되었고, Dockerfile의 uvicorn 실행에 --forwarded-allow-ips='130.211.0.0/22,35.191.0.0/16'가 추가되었습니다. /title POST 엔드포인트의 레이트 리밋이 "5/minute"에서 "10/minute"로 변경되었고, CORS 허용 원본에서 두 Firebase 하위 도메인이 제거되었습니다.

Changes

Cohort / File(s)	Summary
배포 워크플로우 .github/workflows/deploy.yml	Cloud Run 배포 입력에 flags: --allow-unauthenticated 추가 — 서비스가 인증되지 않은 요청을 허용하도록 설정 변경.
컨테이너 실행 backend/Dockerfile	uvicorn 실행 명령에 --forwarded-allow-ips='130.211.0.0/22,35.191.0.0/16' 플래그 추가 — 특정 프록시 IP 범위를 신뢰하도록 변경.
API 레이트 리미팅 backend/app/api/routes/chat.py	/title POST 핸들러(chat_title_endpoint)의 @limiter.limit 값 변경: "5/minute" → "10/minute". 다른 엔드포인트의 제한은 변경 없음.
CORS 설정 backend/app/main.py	CORS 허용 원본 목록에서 https://vigilant-shift-490601-t5.web.app 및 https://vigilant-shift-490601-t5.firebaseapp.com 제거; 나머지 기존 출처는 유지.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Fix/cloudrun deployment #33: Cloud Run 배포 및 backend/Dockerfile의 uvicorn 실행 관련 변경과 코드 레벨로 연관됨.
• Fix/cloudrun deployment #35: backend/Dockerfile의 --forwarded-allow-ips 추가 및 CORS/레이트리밋 관련 변경과 겹침.
• Fix/cloudrun deployment #34: backend/app/main.py의 CORS 허용 원본 수정과 직접적 연관성 있음.

Poem

🐰 문을 열고 휙, 바람이 들어오네,
프록시 길을 밝히고 헤더를 신뢰하네,
초당 더 많은 속도로 제목을 건네고,
불필요한 도메인은 정리했지요,
깡총깡총, 배포는 한결 가벼워졌어요 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	PR 제목이 모호하고 구체적이지 않으며, 실제 변경사항들(Cloud Run 인증, Dockerfile IP 신뢰 설정, 속도 제한 조정, CORS 원본 제거)을 명확하게 설명하지 못함.	제목을 더 구체적으로 변경하세요. 예: 'CORS 원본 제거 및 보안 설정 개선' 또는 변경사항의 주요 목적을 명확히 하는 제목으로 수정하기를 권장합니다.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cloudrun-cors

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deploy.yml:
- Line 58: The deployment currently exposes the service with flags:
'--allow-unauthenticated' while the chat endpoints (functions handling POST
/api/v1/chat and /api/v1/chat/title in chat.py) lack any Depends-based auth and
the declared rate limiter (variable/instance named limiter) is not applied; fix
by removing or gatekeeping the '--allow-unauthenticated' deploy flag or adding
an edge auth layer, then implement one of: add a request authentication
dependency (e.g., an API key or JWT dependency and wire it into the POST
handlers via Depends in the chat.py route functions), or apply rate limiting
decorators (use `@limiter.limit`(...) on the POST handlers for /api/v1/chat and
/api/v1/chat/title), or configure Cloud Armor/IAP at deployment — ensure the
chosen protection covers all routes that call OpenAI (translation/embedding/LLM
streaming) and log rejected requests.

In `@backend/Dockerfile`:
- Line 44: The CMD starting uvicorn in the Dockerfile currently uses
--proxy-headers with --forwarded-allow-ips='*', which trusts all X-Forwarded-*
headers and allows IP spoofing; update the CMD that runs uvicorn (the CMD line
invoking "uvicorn app.main:app") to replace --forwarded-allow-ips='*' with the
Cloud Run GFE CIDR ranges (e.g., 130.211.0.0/22,35.191.0.0/16) so only GFE
proxies are trusted, and optionally document or configure platform-level ingress
(Cloud Run ingress set to internal-and-cloud-load-balancing) as an alternative
mitigation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5ba43c6c-1d9d-4569-ac01-16398199a983

📥 Commits

Reviewing files that changed from the base of the PR and between f58eab1 and f0fca5c.

📒 Files selected for processing (4)

• .github/workflows/deploy.yml
• backend/Dockerfile
• backend/app/api/routes/chat.py
• backend/app/main.py

💤 Files with no reviewable changes (1)

• backend/app/api/routes/chat.py