search

hyperonym / basaran

Basaran is an open-source alternative to the OpenAI text completion API. It provides a compatible streaming API for your Hugging Face Transformers-based text generation models.
MIT License
1.29k stars 80 forks source link

CORS headers #143

Closed josephrocca closed 1 year ago

josephrocca commented 1 year ago

CORS headers are required to use the API from the client side, otherwise we get errors like this:

Access to fetch at 'http://127.0.0.1/v1/completions' from origin 'http://localhost:3001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Can CORS headers be added? Client-side usage is needed in OpenCharacters.

The header: Access-Control-Allow-Origin: * should be added to /v1/completions responses.

peakji commented 1 year ago

Since Basaran is completely stateless and does not involve any user or credential information, I guess it is safe to add Access-Control-Allow-Origin: * for all endpoints?

josephrocca commented 1 year ago

Yep - although it might make sense to add API keys eventually, so that random websites that you visit can't try hitting http://127.0.0.1/v1/completions while you're browsing the web. But it's all inside docker, so there are multiple layers they'd need to get through to actually do any harm (other than wasting compute), so I think it's fine for now.

Even if a (stateless) endpoint does accept credential information, it's fine to add CORS headers to all "public-facing" endpoints. OpenAI's endpoints obviously need credentials, and have Access-Control-Allow-Origin: *.

But perhaps you meant that stateful plus (stored) credentials would be the case where we'd have to think twice about this.

peakji commented 1 year ago

Make sense! We will make CORS configurable via environment variables.

josephrocca commented 1 year ago

I'm guessing it'll just be something like this?

from . import CORS_ALLOWED_ORIGIN

# ...

@app.after_request
def apply_cors_headers(response):
    if CORS_ALLOWED_ORIGIN:
        response.headers['Access-Control-Allow-Origin'] = CORS_ALLOWED_ORIGIN
    else:
        response.headers['Access-Control-Allow-Origin'] = 'null'
    return response

in https://github.com/hyperonym/basaran/blob/master/basaran/__main__.py

Any rough ETA on this making it into a new Docker image version?

peakji commented 1 year ago

According to MDN, POSTing a JSON is not a simple request. (not sure if this is the case as I'm not very familiar with web dev). We may need to handle preflights manually or leverage flask-cors, will check it out in the next few days.

peakji commented 1 year ago

CORS support is added in https://github.com/hyperonym/basaran/pull/148 and enabled by default in v0.16.0.

josephrocca commented 1 year ago

Thanks!!