stac-fastapi does not provide CORS header (Cross-Origin Resource Sharing)

Hi all,

at first thanks for this great software!

When using "STAC browser" on a catalog created with stac-fastapi I get an error message that normally indicates that cors headers are not present.

"NetworkError when attempting to fetch resource.
Please note that some servers don't allow external access via web browsers (e.g., when CORS headers are not present).
Errored URL: https://localhost:8081"

Any comment is appreciated! If you point me to a location in the source code I can also try to include it.

[vincentsarago]

@DanielMaierLGLN I think this is expected, It's let to the end users to customize the application layer.

Basically you need to update https://github.com/stac-utils/stac-fastapi/blob/master/stac_fastapi/sqlalchemy/stac_fastapi/sqlalchemy/app.py#L31 as 👇

"""FastAPI application."""
from stac_fastapi.api.app import StacApi
from stac_fastapi.extensions.core import (
    FieldsExtension,
    QueryExtension,
    SortExtension,
    TransactionExtension,
)
from stac_fastapi.extensions.third_party import BulkTransactionExtension
from stac_fastapi.sqlalchemy.config import SqlalchemySettings
from stac_fastapi.sqlalchemy.core import CoreCrudClient
from stac_fastapi.sqlalchemy.session import Session
from stac_fastapi.sqlalchemy.transactions import (
    BulkTransactionsClient,
    TransactionsClient,
)

from starlette.middleware.cors import CORSMiddleware

settings = SqlalchemySettings()
session = Session.create_from_settings(settings)
api = StacApi(
    settings=settings,
    extensions=[
        TransactionExtension(client=TransactionsClient(session=session)),
        BulkTransactionExtension(client=BulkTransactionsClient(session=session)),
        FieldsExtension(),
        QueryExtension(),
        SortExtension(),
    ],
    client=CoreCrudClient(session=session),
)
app = api.app

# ADD CORSMiddleware
app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["GET", "POST"],
    allow_headers=["*"],
)

Thank you very much @vincentsarago!
If it is expected to be done by the end users - it's ok for me (maybe it makes sense it include it in the documentation?).

I confirm that your solution is working (apart from a small typo in the app.add_middleware part).
Thanks again :)

[geospatial-jeff]

Linking to the FastAPI CORS docs would be lovely https://fastapi.tiangolo.com/tutorial/cors/

[geospatial-jeff]

Given the api spec recommends adding CORS I think it makes sense to include by default.

https://github.com/radiantearth/stac-api-spec/blob/master/implementation.md#cors

[geospatial-jeff]

Closed with #436