Add configurable CORS handling to proxy-metrics and proxy-health functions

[adm01-debug]

Motivation

• Replace the previous wildcard CORS policy with a safer, configurable origin allowlist to avoid exposing * for Access-Control-Allow-Origin.
• Allow specifying allowed origins via environment variables and preserve correct caching behavior by adding a Vary: Origin header.

Description

• Introduces DEFAULT_ALLOWED_ORIGIN and ALLOWED_ORIGINS (from PROXY_METRICS_ALLOWED_ORIGINS / PROXY_HEALTH_ALLOWED_ORIGINS) and defaults to the app plus common localhost dev origins.
• Adds getPromHeaders and getCorsHeaders helper functions that pick the Access-Control-Allow-Origin based on the request Origin header and include Vary: Origin.
• Replaces previous static header objects (which used '*') with the dynamic headers in both supabase/functions/proxy-metrics/index.ts and supabase/functions/proxy-health/index.ts and ensures OPTIONS and other responses use the computed headers.
• Preserves existing behavior for auth, metrics collection, and exposition format while tightening CORS configuration.

Testing

• Performed local smoke runs of both functions and exercised OPTIONS and GET requests with allowed and disallowed Origin headers; responses contained the expected Access-Control-Allow-Origin and Vary headers.
• Verified that the endpoints still return expected statuses for auth failures and data fetch errors during the smoke tests, and that normal metric exposition remains unchanged.

---

Codex Task

[coderabbitai]

Warning

Rate limit exceeded

@adm01-debug has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 44 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bbf43d05-7e91-4b7f-9eaf-27e8f5838dfa

📥 Commits

Reviewing files that changed from the base of the PR and between 6ad6d57 and 26c8be8.

📒 Files selected for processing (2)

• supabase/functions/proxy-health/index.ts
• supabase/functions/proxy-metrics/index.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/realizar-auditoria-tecnica-exaustiva-yux0f4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 26c8be86f7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove hardcoded fallback origin from allowlist check

This fallback makes the allowlist non-authoritative: even if PROXY_HEALTH_ALLOWED_ORIGINS is explicitly set without https://pronto-talk-suite.lovable.app, requests from that origin still receive Access-Control-Allow-Origin equal to their origin because non-matches are forced to DEFAULT_ALLOWED_ORIGIN. In practice, operators cannot fully restrict CORS via env vars, and the same bypass pattern exists in proxy-metrics (getPromHeaders). For strict deployments, this unintentionally permits cross-origin reads from the hardcoded domain.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Adds configurable, origin-validated CORS behavior to the proxy-metrics and proxy-health Supabase Edge Functions, replacing the previous wildcard (*) CORS policy and adding Vary: Origin to preserve correct caching semantics.

Changes:

• Introduces per-function origin allowlists (from env) with a default origin + local dev origins.
• Generates response headers dynamically based on the request Origin and uses those headers for OPTIONS and main responses.
• Adds Vary: Origin to avoid incorrect shared-cache behavior across different origins.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
supabase/functions/proxy-metrics/index.ts	Replaces static PROM_HEADERS (with *) with dynamic headers derived from Origin + env-configured allowlist.
supabase/functions/proxy-health/index.ts	Replaces static CORS headers (with *) with a helper that selects an allowed origin and adds Vary: Origin.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The same fallback logic as proxy-metrics (ALLOWED_ORIGINS.has(requestOrigin) ? requestOrigin : DEFAULT_ALLOWED_ORIGIN) makes the default origin effectively always allowed, even if PROXY_HEALTH_ALLOWED_ORIGINS is configured to exclude it. If the goal is a configurable allowlist, consider making the default origin configurable too, or omitting Access-Control-Allow-Origin for disallowed origins.

Suggested change

	const allowOrigin = ALLOWED_ORIGINS.has(requestOrigin) ? requestOrigin : DEFAULT_ALLOWED_ORIGIN
	return {
	'Access-Control-Allow-Origin': allowOrigin,
	'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
	Vary: 'Origin',
	}
	const headers: Record<string, string> = {
	'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
	Vary: 'Origin',
	}
	if (requestOrigin && ALLOWED_ORIGINS.has(requestOrigin)) {
	headers['Access-Control-Allow-Origin'] = requestOrigin
	}
	return headers

[Copilot]

getCorsHeaders() omits Access-Control-Allow-Methods. For preflight requests, browsers validate Access-Control-Request-Method against Access-Control-Allow-Methods, and omitting it can cause CORS failures (even for GET requests when using Authorization/custom headers). Add an explicit allow-methods value (e.g., GET, OPTIONS) to this header set.

Suggested change

	'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
	'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
	'Access-Control-Allow-Methods': 'GET, OPTIONS',

[Copilot]

This function introduces its own allowed-origin parsing and CORS header construction, but the codebase already provides getCorsHeaders(req) / handleCors(req) in supabase/functions/_shared/validation.ts (with origin validation, localhost/preview handling, and security headers). Consider reusing/extending the shared helper to avoid CORS behavior diverging across edge functions.

[Copilot]

The fallback logic ALLOWED_ORIGINS.has(requestOrigin) ? requestOrigin : DEFAULT_ALLOWED_ORIGIN means the default origin will still be CORS-allowed even if PROXY_METRICS_ALLOWED_ORIGINS is configured to exclude it (requests from the default origin will hit the fallback and still get Access-Control-Allow-Origin set). If the intent is a fully configurable allowlist, consider making the default origin configurable via env too, or omitting Access-Control-Allow-Origin when the request origin is not allowed.

Suggested change

	const allowOrigin = ALLOWED_ORIGINS.has(requestOrigin) ? requestOrigin : DEFAULT_ALLOWED_ORIGIN
	return {
	'Content-Type': 'text/plain; version=0.0.4; charset=utf-8',
	'Cache-Control': 'no-store',
	'Access-Control-Allow-Origin': allowOrigin,
	'Access-Control-Allow-Headers': 'authorization, content-type',
	'Access-Control-Allow-Methods': 'GET, OPTIONS',
	Vary: 'Origin',
	}
	const headers: Record<string, string> = {
	'Content-Type': 'text/plain; version=0.0.4; charset=utf-8',
	'Cache-Control': 'no-store',
	'Access-Control-Allow-Headers': 'authorization, content-type',
	'Access-Control-Allow-Methods': 'GET, OPTIONS',
	Vary: 'Origin',
	}
	if (requestOrigin && ALLOWED_ORIGINS.has(requestOrigin)) {
	headers['Access-Control-Allow-Origin'] = requestOrigin
	}
	return headers

[Copilot]

This adds a local CORS/origin allowlist implementation, but the repo already has a shared, origin-validated getCorsHeaders(req) helper in supabase/functions/_shared/validation.ts (and notes not to use ad-hoc CORS in new code). Duplicating CORS logic in each function increases drift risk (e.g., preview origins / localhost port handling / security headers); consider reusing/extending the shared helper and layering Prometheus-specific headers (Content-Type, etc.) on top.

[adm01-debug]

Folded into umbrella PR #32. Note: PR #27 (already on main) had centralized CORS via _shared/validation.ts ahead of this PR, so the merge kept that more advanced pattern and removed the unused ALLOWED_ORIGINS constants this PR introduced. Functional intent is preserved (configurable per-endpoint origins via _shared/validation's getCorsHeaders). Will auto-close when #32 lands.

---

Generated by Claude Code