Make cors middleware disabled by default (#400)

In development, CORS isn't really useful to enable.
I added a warning in production if the `CORS_ORIGINS` env var is set to
`*` (the default).

backend/bracket/app.py

@@ -27,6 +27,7 @@ from bracket.routes import (
     users,
 )
 from bracket.utils.db_init import init_db_when_empty
+from bracket.utils.logging import logger
 
 init_sentry()
 
@@ -36,6 +37,9 @@ async def lifespan(_: FastAPI) -> AsyncIterator[None]:
     await database.connect()
     await init_db_when_empty()
 
+    if environment is Environment.PRODUCTION and config.cors_origins == '*':
+        logger.warning("It's advised to set the `CORS_ORIGINS` environment variable in production")
+
     yield
 
     if environment != Environment.CI:
@@ -49,11 +53,9 @@ app = FastAPI(
     lifespan=lifespan,
 )
 
-origins = ["http://localhost", "http://localhost:3000", *config.cors_origins.split(',')]
-
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=origins,
+    allow_origins=config.cors_origins,
     allow_origin_regex=config.cors_origin_regex,
     allow_credentials=True,
     allow_methods=["*"],

backend/bracket/config.py

@@ -30,7 +30,7 @@ class Config(BaseSettings):
     allow_user_registration: bool = True
     base_url: str = 'http://localhost:8400'
     cors_origin_regex: str = ''
-    cors_origins: str = ''
+    cors_origins: str = '*'
     jwt_secret: str
     pg_dsn: PostgresDsn = 'postgresql://user:pass@localhost:5432/db'  # type: ignore[assignment]
     sentry_dsn: str | None = None

backend/ci.env

@@ -1,5 +1,5 @@
 PG_DSN='postgresql://bracket_ci:bracket_ci@localhost:5532/bracket_ci'
 JWT_SECRET='abd84ebeb6581c26b53fa30d89c4e7fbc48ee5b4f3b8ddedb7586cfeb3daca0c'
-CORS_ORIGINS=''
+CORS_ORIGINS='*'
 ADMIN_EMAIL='admin@example.com'
 ADMIN_PASSWORD='some unused password'