fix: validate_startup checks CORS wildcard in production

validate_startup() now exits with an error if CORS_ORIGINS contains a wildcard '*' in production mode, matching the runtime stripping already done in _get_cors_origins(). Fixes #472 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-19 15:30:37 -04:00
2 changed files with 19 additions and 0 deletions
--- a/src/config.py
+++ b/src/config.py
@@ -469,6 +469,12 @@ def validate_startup(*, force: bool = False) -> None:
                ", ".join(_missing),
            )
            sys.exit(1)
+        if "*" in settings.cors_origins:
+            _startup_logger.error(
+                "PRODUCTION SECURITY ERROR: Wildcard '*' in CORS_ORIGINS is not "
+                "allowed in production — set explicit origins via CORS_ORIGINS env var."
+            )
+            sys.exit(1)
        _startup_logger.info("Production mode: security secrets validated ✓")
    else:
        if not settings.l402_hmac_secret:
--- a/tests/test_lazy_init.py
+++ b/tests/test_lazy_init.py
@@ -37,6 +37,19 @@ class TestConfigLazyValidation:
        ):
            validate_startup(force=True)

+    def test_validate_startup_exits_on_cors_wildcard_in_production(self):
+        """validate_startup() should exit in production when CORS has wildcard."""
+        from config import settings, validate_startup
+
+        with (
+            patch.object(settings, "timmy_env", "production"),
+            patch.object(settings, "l402_hmac_secret", "test-secret-hex-value-32"),
+            patch.object(settings, "l402_macaroon_secret", "test-macaroon-hex-value-32"),
+            patch.object(settings, "cors_origins", ["*"]),
+            pytest.raises(SystemExit),
+        ):
+            validate_startup(force=True)
+
    def test_validate_startup_ok_with_secrets(self):
        """validate_startup() should not exit when secrets are set."""
        from config import settings, validate_startup