cors
This commit is contained in:
salvacybersec
@@ -16,9 +16,39 @@ const PORT = process.env.PORT || 3000;
|
|||||||
app.use(helmet());
|
app.use(helmet());
|
||||||
|
|
||||||
// Dynamic CORS configuration (will be updated from settings)
|
// Dynamic CORS configuration (will be updated from settings)
|
||||||
|
// Allow multiple origins for development and production
|
||||||
|
const getAllowedOrigins = () => {
|
||||||
|
const origins = [
|
||||||
|
process.env.FRONTEND_URL || 'http://localhost:4173', // Production default
|
||||||
|
'http://localhost:5173', // Vite dev server
|
||||||
|
'http://localhost:4173', // Vite preview / serve
|
||||||
|
'http://127.0.0.1:5173',
|
||||||
|
'http://127.0.0.1:4173',
|
||||||
|
];
|
||||||
|
|
||||||
|
// Add public IP if available
|
||||||
|
if (process.env.DOMAIN_URL) {
|
||||||
|
const publicDomain = process.env.DOMAIN_URL.replace(':3000', ':4173');
|
||||||
|
origins.push(publicDomain);
|
||||||
|
}
|
||||||
|
|
||||||
|
return origins;
|
||||||
|
};
|
||||||
|
|
||||||
let corsOptions = {
|
let corsOptions = {
|
||||||
origin: process.env.FRONTEND_URL || 'http://localhost:5173',
|
origin: (origin, callback) => {
|
||||||
|
const allowedOrigins = getAllowedOrigins();
|
||||||
|
// Allow requests with no origin (like mobile apps or curl requests)
|
||||||
|
if (!origin || allowedOrigins.includes(origin)) {
|
||||||
|
callback(null, true);
|
||||||
|
} else {
|
||||||
|
logger.warn(`CORS blocked origin: ${origin}`);
|
||||||
|
callback(null, true); // Allow anyway in production (more permissive)
|
||||||
|
}
|
||||||
|
},
|
||||||
credentials: true,
|
credentials: true,
|
||||||
|
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
|
||||||
|
allowedHeaders: ['Content-Type', 'Authorization'],
|
||||||
};
|
};
|
||||||
|
|
||||||
app.use((req, res, next) => {
|
app.use((req, res, next) => {
|
||||||
@@ -33,12 +63,10 @@ const updateCorsFromSettings = async () => {
|
|||||||
const frontendUrlSetting = await Settings.findOne({ where: { key: 'frontend_url' } });
|
const frontendUrlSetting = await Settings.findOne({ where: { key: 'frontend_url' } });
|
||||||
|
|
||||||
if (corsEnabledSetting && corsEnabledSetting.value === 'true' && frontendUrlSetting) {
|
if (corsEnabledSetting && corsEnabledSetting.value === 'true' && frontendUrlSetting) {
|
||||||
corsOptions.origin = frontendUrlSetting.value;
|
logger.info(`CORS settings loaded from database: ${frontendUrlSetting.value}`);
|
||||||
logger.info(`CORS enabled for: ${frontendUrlSetting.value}`);
|
|
||||||
} else {
|
|
||||||
// Default: allow both frontend and backend on same origin
|
|
||||||
corsOptions.origin = process.env.FRONTEND_URL || 'http://localhost:5173';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
logger.info(`CORS allowed origins: ${getAllowedOrigins().join(', ')}`);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
logger.warn('Could not load CORS settings from database, using defaults');
|
logger.warn('Could not load CORS settings from database, using defaults');
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user