fix: enhance CORS origin handling and update validation for YouTube URLs

app/main.py

@@ -23,7 +23,7 @@ logger = get_logger(__name__)
 
 
 def _load_origins() -> list[str]:
-    raw = os.getenv("CROWNCODE_CORS_ORIGINS") or os.getenv("CORS_ORIGIN", "http://localhost:3000")
+    raw = os.getenv("CROWNCODE_CORS_ORIGINS") or os.getenv("CORS_ORIGIN") or "http://localhost:3000"
     if raw.strip() == "*":
         logger.warning("CORS configured to allow all origins")
         return ["*"]
@@ -74,10 +74,12 @@ async def general_exception_handler(request: Request, exc: Exception) -> JSONRes
     )
 
 
+_origins = _load_origins()
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=_load_origins(),
-    allow_credentials=True,
+    allow_origins=_origins,
+    # credentials=True is only safe with an explicit origin list, not wildcard
+    allow_credentials="*" not in _origins,
     allow_methods=["*"],
     allow_headers=["*"],
 )

app/schemas.py

@@ -54,9 +54,11 @@ class YouTubeAnalyzeResponse(BaseModel):
 
 
 class AudioAugmentationOptions(BaseModel):
-    pitch_shift: bool = Field(default=False, description="Apply random pitch shifting")
-    speed_change: bool = Field(default=False, description="Apply random speed change")
-    bass_boost: bool = Field(default=False, description="Apply bass boost equalization")
-    trim_silence: bool = Field(default=False, description="Trim leading and trailing silence")
-    mix_audio: bool = Field(default=False, description="Mix with another audio track (placeholder)")
-    add_noise: bool = Field(default=False, description="Add Gaussian noise")
+    model_config = {"populate_by_name": True}
+
+    pitch_shift: bool = Field(default=False, alias="pitchShift", description="Apply random pitch shifting")
+    speed_change: bool = Field(default=False, alias="speedChange", description="Apply random speed change")
+    bass_boost: bool = Field(default=False, alias="bassBoost", description="Apply bass boost equalization")
+    trim_silence: bool = Field(default=False, alias="trimSilence", description="Trim leading and trailing silence")
+    mix_audio: bool = Field(default=False, alias="mixAudio", description="Mix with another audio track (placeholder)")
+    add_noise: bool = Field(default=False, alias="addNoise", description="Add Gaussian noise")

app/services/url_parser.py

@@ -51,7 +51,7 @@ def _extract_video_id(parsed_url) -> Optional[str]:
         candidate = path.strip("/").split("/")[0]
         return candidate or None
 
-    if "youtube.com" in host or "music.youtube.com" in host:
+    if host in {"youtube.com", "www.youtube.com", "m.youtube.com", "music.youtube.com"}:
         if path == "/watch":
             return query.get("v", [None])[0]
         if path.startswith("/shorts/") or path.startswith("/live/") or path.startswith("/embed/"):

app/services/validation.py

@@ -68,18 +68,29 @@ def validate_url(url: str) -> bool:
     if any(char in url for char in dangerous_chars):
         return False
     
-    allowed_domains = [
+    from urllib.parse import urlparse
+
+    try:
+        parsed = urlparse(url)
+        host = (parsed.hostname or '').lower()
+    except Exception:
+        return False
+
+    allowed_hosts = {
         'youtube.com',
-        'youtu.be',
+        'www.youtube.com',
+        'm.youtube.com',
         'music.youtube.com',
+        'youtu.be',
+        'www.youtu.be',
         'spotify.com',
-        'open.spotify.com'
-    ]
-    
-    url_lower = url.lower()
-    if not any(domain in url_lower for domain in allowed_domains):
+        'www.spotify.com',
+        'open.spotify.com',
+    }
+
+    if host not in allowed_hosts:
         return False
-    
+
     return True