Proxy API requests through Vite dev server and remove CORS

README.md

@@ -45,9 +45,11 @@ OKTA_DOMAIN=<YOUR_OKTA_DOMAIN> # For example, "mydomain.oktapreview.com"
 OKTA_API_TOKEN=<YOUR_SANDBOX_API_TOKEN>
 DATABASE_URI="sqlite:///access.db"
 CLIENT_ORIGIN_URL=http://localhost:3000
-VITE_API_SERVER_URL=http://localhost:6060
+VITE_API_SERVER_URL=
 ```
 
+> **Note:** `VITE_API_SERVER_URL` is left empty so the frontend uses relative URLs. The Vite dev server proxies `/api` requests to the Flask backend on port 6060.
+
 Next, run the following commands to set up your python virtual environment. Access can run on Python 3.11 and above:
 
 ```
@@ -231,7 +233,7 @@ The `.env.production` file is where you configure the application.
 - `OKTA_DOMAIN`: Specifies the [Okta](https://okta.com) domain to use.
 - `OKTA_API_TOKEN`: Specifies the [Okta](https://okta.com) [API Token](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApiToken/) to use.
 - `DATABASE_URI`: Specifies the Database connection URI. **Example:** `postgresql+pg8000://<POSTGRES_USER>:<POSTGRES_PASSWORD>@postgres:5432/<DB_NAME>`.
-- `CLIENT_ORIGIN_URL`: Specifies the origin URL which is used by CORS.
+- `CLIENT_ORIGIN_URL`: Specifies the origin URL used by plugins (e.g. for building notification URLs).
 - `VITE_API_SERVER_URL`: Specifies the API base URL which is used by the frontend. Set to an empty string "" to use the same URL as the frontend.
 - `FLASK_SENTRY_DSN`: See the [Sentry documentation](https://docs.sentry.io/product/sentry-basics/concepts/dsn-explainer/). **[OPTIONAL] You can safely remove this from your env file**
 - `REACT_SENTRY_DSN`: See the [Sentry documentation](https://docs.sentry.io/product/sentry-basics/concepts/dsn-explainer/). **[OPTIONAL] You can safely remove this from your env file**

api/app.py

@@ -11,7 +11,6 @@
 
 from flask import Flask, Response, request
 from flask.typing import ResponseReturnValue
-from flask_cors import CORS
 from flask_talisman import Talisman
 from marshmallow import ValidationError
 from werkzeug.exceptions import HTTPException
@@ -158,21 +157,6 @@ def add_headers(response: Response) -> ResponseReturnValue:
             response.headers["Content-Type"] = "application/json; charset=utf-8"
         return response
 
-    ##########################################
-    # CORS
-    ##########################################
-
-    if app.config["ENV"] == "development":
-        # Only necessary in development because the React
-        # frontend is served from a different port
-        CORS(
-            app,
-            resources={r"/api/*": {"origins": app.config["CLIENT_ORIGIN_URL"]}},
-            allow_headers=["Authorization", "Content-Type", "baggage", "sentry-trace"],
-            methods=["GET", "POST", "PUT", "DELETE"],
-            max_age=86400,
-        )
-
     ##########################################
     # Configure CloudSQL Database Connection
     ##########################################

requirements.txt

@@ -23,7 +23,6 @@ flask-marshmallow==1.2.1
 flask-apispec==0.11.4
 
 # Security
-Flask-Cors==6.0.0
 flask-talisman==1.1.0
 PyJWT==2.10.1
 flask-oidc==2.2.2
@@ -47,7 +46,6 @@ ruff==0.8.0
 # Typing
 mypy==1.13.0
 types-google-cloud-ndb==2.3.0.20250317
-types-Flask-Cors==5.0.0.20240902
 types-Flask-Migrate==4.0.0.20240311
 types-python-dateutil==2.9.0.20250822
 types-requests==2.32.0.20241016

vite.config.ts

@@ -44,6 +44,12 @@ export default defineConfig(({mode}) => {
     },
     server: {
       port: 3000,
+      proxy: {
+        '/api': {
+          target: 'http://localhost:6060',
+          changeOrigin: true,
+        },
+      },
     },
     build: {
       outDir: 'build',