developer/galaxy-game
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: flaky RandomSuffix test + CORS allow-list on public gateway #7

Merged
developer merged 2 commits from feature/cors-and-flaky-test into development 2026-05-15 06:35:59 +00:00
Conversation 0 Commits 2 Files Changed 7
+236 -4
developer commented 2026-05-15 05:58:35 +00:00
Owner
Copy Link
Copy Source

Two unrelated fixes that surfaced during the post-CI-reorg shakedown.

pkg/util: harden TestRandomSuffixGenerator

The previous test compared each of 100 samples against the previous one — birthday collisions made it flake ~1 % per run, and we caught it in go-unit #51. Replaced with a distinctness-floor check over 200 samples (~10 000-element space, expected ~198 unique, floor at 150). Still catches a stuck or narrow-range generator without depending on randomness behaving today.

gateway: CORS allow-list on the public REST surface

The dev UI on https://www.galaxy.lan cross-origins to https://api.galaxy.lan and the browser was blocking responses. Added a GATEWAY_PUBLIC_HTTP_CORS_ALLOWED_ORIGINS env-driven allow-list with a small custom middleware. Mounts before route-classification and anti-abuse so OPTIONS preflights never charge against rate-limit buckets. Defaults to empty (closed), and tools/dev-deploy/docker-compose.yml opts the dev gateway into https://www.galaxy.lan.

Local-dev posture is unchanged — Vite proxies through the same origin, no CORS needed.

Two unrelated fixes that surfaced during the post-CI-reorg shakedown. ### `pkg/util`: harden TestRandomSuffixGenerator The previous test compared each of 100 samples against the previous one — birthday collisions made it flake ~1 % per run, and we caught it in go-unit #51. Replaced with a distinctness-floor check over 200 samples (~10 000-element space, expected ~198 unique, floor at 150). Still catches a stuck or narrow-range generator without depending on randomness behaving today. ### `gateway`: CORS allow-list on the public REST surface The dev UI on `https://www.galaxy.lan` cross-origins to `https://api.galaxy.lan` and the browser was blocking responses. Added a `GATEWAY_PUBLIC_HTTP_CORS_ALLOWED_ORIGINS` env-driven allow-list with a small custom middleware. Mounts before route-classification and anti-abuse so OPTIONS preflights never charge against rate-limit buckets. Defaults to empty (closed), and `tools/dev-deploy/docker-compose.yml` opts the dev gateway into `https://www.galaxy.lan`. Local-dev posture is unchanged — Vite proxies through the same origin, no CORS needed.
developer added 2 commits 2026-05-15 05:58:35 +00:00
pkg/util: harden TestRandomSuffixGenerator against birthday collisions 7bce67462c 
The previous test asserted that no two adjacent samples from a
~10 000-element space were equal across 100 iterations. The birthday
math gives that adjacency check a ~1 % flake rate per run; with the
new gitea.lan CI volume that turned into observable random failures
(go-unit #51 on feature/enable-actions-cache hit "Should not be:
'6635'").

Replace adjacency with a distinctness floor over a wider 200-sample
draw. A stuck generator (single value) lands at 1 unique; a
256-element range lands at ~196; the natural full-range generator
lands at ~198. A floor of 150 catches the failure modes the test was
actually written to guard against and never trips on legitimate
randomness.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
gateway: add CORS allow-list for the public REST surface
Tests · Go / test (push) Successful in 1m42s
Details
Tests · Go / test (pull_request) Successful in 1m45s
Details
Tests · Integration / integration (pull_request) Successful in 1m36s
Details
1855e43699 
Adds a `GATEWAY_PUBLIC_HTTP_CORS_ALLOWED_ORIGINS` env-driven allow-list
on the public REST server so the dev UI on https://www.galaxy.lan can
call https://api.galaxy.lan without the browser blocking the
cross-origin response. Defaults to empty (no CORS) so the production
posture stays closed.

The middleware mounts before route classification and anti-abuse, so
OPTIONS preflights never charge against per-class rate-limit buckets.

`tools/dev-deploy/docker-compose.yml` opts the dev gateway into a
single allowed origin (`https://www.galaxy.lan`); local-dev keeps the
defaults because Vite proxies through the same origin.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
developer merged commit 9d65bf5157 into development 2026-05-15 06:35:59 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
developer
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: developer/galaxy-game#7
Delete Branch "feature/cors-and-flaky-test"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?