fix: format code for better readability and add CORS handling for OPTIONS requests

.github/workflows/ci.yml

@@ -24,21 +24,21 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
-      - name: Locate pip cache directory
-        id: pip-cache-dir
-        # extra output for debugging
-        run: |
-          echo "dir=$(python -m pip cache dir)" >> "$GITHUB_OUTPUT"
-          echo "dir=$(python -m pip cache dir)"
+      # - name: Locate pip cache directory
+      #   id: pip-cache-dir
+      #   # extra output for debugging
+      #   run: |
+      #     echo "dir=$(python -m pip cache dir)" >> "$GITHUB_OUTPUT"
+      #     echo "dir=$(python -m pip cache dir)"
 
-      - name: Cache pip
-        uses: actions/cache@v4
-        with:
-          path: ${{ steps.pip-cache-dir.outputs.dir }}
-          key: ${{ runner.os }}-py-${{ matrix.python-version }}-pip-${{ hashFiles('**/requirements.txt') }}
-          restore-keys: |
-            ${{ runner.os }}-py-${{ matrix.python-version }}-pip-
-            ${{ runner.os }}-pip-
+      # - name: Cache pip
+      #   uses: actions/cache@v4
+      #   with:
+      #     path: ${{ steps.pip-cache-dir.outputs.dir }}
+      #     key: ${{ runner.os }}-py-${{ matrix.python-version }}-pip-${{ hashFiles('**/requirements.txt') }}
+      #     restore-keys: |
+      #       ${{ runner.os }}-py-${{ matrix.python-version }}-pip-
+      #       ${{ runner.os }}-pip-
 
       - name: Install dependencies
         run: |

server/middleware.py

@@ -44,7 +44,8 @@ def register_request_hooks(app: Flask) -> None:
     @app.after_request
     def add_request_id_header(response):  # type: ignore[unused-ignore]
         try:
-            rid = getattr(request, "request_id", None) or request.environ.get("HTTP_X_REQUEST_ID")
+            rid = getattr(request, "request_id", None) or request.environ.get(
+                "HTTP_X_REQUEST_ID")
             if rid:
                 response.headers["X-Request-Id"] = rid
 
@@ -62,7 +63,27 @@ def register_request_hooks(app: Flask) -> None:
                     pass
 
             start_time = getattr(g, "_start_time", None)
-            observe_request(request.method, request.path, start_time, response.status_code)
+            observe_request(request.method, request.path,
+                            start_time, response.status_code)
         except Exception:
             pass
         return response
+
+    @app.after_request
+    def add_cors_headers(response):  # type: ignore[unused-ignore]
+        # Add CORS headers for embedded forms
+        if request.path.startswith("/api/"):
+            response.headers["Access-Control-Allow-Origin"] = "*"
+            response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS"
+            response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization"
+
+        return response
+
+    @app.before_request
+    def handle_options():  # type: ignore[unused-ignore]
+        if request.method == "OPTIONS":
+            response = app.response_class()
+            response.headers["Access-Control-Allow-Origin"] = "*"
+            response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS"
+            response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization"
+            return response