Spaces:

archnemix-ffmpeg-polyglot
/

ffmpeg-python

Sleeping

YTShortMakerArchx commited on Mar 24

Commit

28693fa

verified ·

1 Parent(s): 76db87d

Update main.py

Files changed (1) hide show

main.py CHANGED Viewed

@@ -27,8 +27,8 @@ from pydantic import BaseModel, Field
 # =============================================================================
 HF_DATASET = os.getenv("HF_DATASET", "YTShortMakerArchx/BG_VIDS_ARCHX_YT")
 HF_TOKEN   = os.getenv("HF_TOKEN")
-APP_KEY    = os.getenv("APP_KEY", "archx_3f9d15f52n48d41h5fj8a7e2b_private")
-UI_ORIGIN  = os.getenv("UI_ORIGIN", "https://shortgen-archx.pages.dev")
 BASE_DIR   = Path("/tmp")
 AUDIO_DIR  = BASE_DIR / "audio"
@@ -176,13 +176,10 @@ app = FastAPI(
 app.add_middleware(
     CORSMiddleware,
     allow_origins=[
-        UI_ORIGIN,
-        "http://localhost:3000",
-        "http://127.0.0.1:3000",
-        "http://127.0.0.1:5500",
-        "http://localhost:5500",
-        "http://localhost:8000",
-        "https://huggingface.co",
     ],
     allow_credentials=True,
     allow_methods=["GET", "POST", "DELETE", "OPTIONS", "HEAD"],
@@ -217,13 +214,15 @@ def validate_origin(req: Request) -> bool:
     origin = req.headers.get("origin") or req.headers.get("referer", "")
     if not origin:
         return True
     allowed = [
-        "https://shortgen-archx.pages.dev",
-        "http://localhost:3000", "http://127.0.0.1:3000",
-        "http://localhost:5500", "http://127.0.0.1:5500",
-        "https://huggingface.co",
     ]
-    return any(origin.startswith(a) for a in allowed)
 def rate_limit(key: str, limit: int, window: int = 3600) -> bool:
     now = time.time()

 # =============================================================================
 HF_DATASET = os.getenv("HF_DATASET", "YTShortMakerArchx/BG_VIDS_ARCHX_YT")
 HF_TOKEN   = os.getenv("HF_TOKEN")
+APP_KEY    = os.getenv("APP_KEY")
+UI_ORIGIN  = os.getenv("UI_ORIGIN", "http://shortgenx.pages.dev")
 BASE_DIR   = Path("/tmp")
 AUDIO_DIR  = BASE_DIR / "audio"
 app.add_middleware(
     CORSMiddleware,
     allow_origins=[
+        "https://shortgenx.pages.dev",                                    # Your website
+        "http://localhost:3000",                                          # Local dev only port 3000
+        "http://127.0.0.1:3000",                                         # Local dev only port 3000
+        "https://ytshortmakerarchx-archnemix-controller.hf.space",       # Controller space
     ],
     allow_credentials=True,
     allow_methods=["GET", "POST", "DELETE", "OPTIONS", "HEAD"],
     origin = req.headers.get("origin") or req.headers.get("referer", "")
     if not origin:
         return True
+    # Strict allowed origins - exact match only
     allowed = [
+        "https://shortgenx.pages.dev",
+        "http://localhost:3000",
+        "http://127.0.0.1:3000",
+        "https://ytshortmakerarchx-archnemix-controller.hf.space",
     ]
+    # Use exact match, not prefix matching
+    return origin in allowed
 def rate_limit(key: str, limit: int, window: int = 3600) -> bool:
     now = time.time()