Closed josephrocca closed 1 year ago
Since Basaran is completely stateless and does not involve any user or credential information, I guess it is safe to add Access-Control-Allow-Origin: *
for all endpoints?
Yep - although it might make sense to add API keys eventually, so that random websites that you visit can't try hitting http://127.0.0.1/v1/completions
while you're browsing the web. But it's all inside docker, so there are multiple layers they'd need to get through to actually do any harm (other than wasting compute), so I think it's fine for now.
Even if a (stateless) endpoint does accept credential information, it's fine to add CORS headers to all "public-facing" endpoints. OpenAI's endpoints obviously need credentials, and have Access-Control-Allow-Origin: *
.
But perhaps you meant that stateful plus (stored) credentials would be the case where we'd have to think twice about this.
Make sense! We will make CORS configurable via environment variables.
I'm guessing it'll just be something like this?
from . import CORS_ALLOWED_ORIGIN
# ...
@app.after_request
def apply_cors_headers(response):
if CORS_ALLOWED_ORIGIN:
response.headers['Access-Control-Allow-Origin'] = CORS_ALLOWED_ORIGIN
else:
response.headers['Access-Control-Allow-Origin'] = 'null'
return response
in https://github.com/hyperonym/basaran/blob/master/basaran/__main__.py
Any rough ETA on this making it into a new Docker image version?
According to MDN, POST
ing a JSON is not a simple request. (not sure if this is the case as I'm not very familiar with web dev). We may need to handle preflights manually or leverage flask-cors, will check it out in the next few days.
CORS support is added in https://github.com/hyperonym/basaran/pull/148 and enabled by default in v0.16.0
.
Thanks!!
CORS headers are required to use the API from the client side, otherwise we get errors like this:
Can CORS headers be added? Client-side usage is needed in OpenCharacters.
The header:
Access-Control-Allow-Origin: *
should be added to/v1/completions
responses.