fix: restrict CORS origins, require payment env vars, replace raw SQL with Prisma findMany

- AI service: replace allow_origins=["*"] with env-configured AI_CORS_ORIGINS - Payment services (VNPay, MoMo, ZaloPay): use requireEnv() instead of empty string defaults for credentials - Search indexer: replace raw SQL template literals with Prisma findMany + parameterized PostGIS queries Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 06:11:59 +07:00
parent 271ad76e6f
commit 811417d77d
6 changed files with 136 additions and 155 deletions
--- a/libs/ai-services/app/config.py
+++ b/libs/ai-services/app/config.py
@@ -6,8 +6,17 @@ class Settings(BaseSettings):
    debug: bool = False
    model_path: str = "/app/models"
    log_level: str = "info"
+    cors_origins: str = ""
+    api_key: str = ""
+    rate_limit: str = "60/minute"

    model_config = {"env_prefix": "AI_"}

+    @property
+    def cors_origin_list(self) -> list[str]:
+        if not self.cors_origins:
+            return []
+        return [o.strip() for o in self.cors_origins.split(",") if o.strip()]
+

 settings = Settings()
--- a/libs/ai-services/app/main.py
+++ b/libs/ai-services/app/main.py
@@ -11,9 +11,12 @@ app = FastAPI(
    redoc_url="/redoc",
 )

+if not settings.cors_origin_list:
+    raise RuntimeError("AI_CORS_ORIGINS must be set (comma-separated list of allowed origins)")
+
 app.add_middleware(
    CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=settings.cors_origin_list,
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],