From 16f5b39fc66e7c495a19e4dfb665fee4586d430e Mon Sep 17 00:00:00 2001
From: salvacybersec <salva@opsecti.local>
Date: Tue, 11 Nov 2025 05:08:03 +0300
Subject: [PATCH] Add CORS development mode - allow all origins in dev

---
 backend/src/app.js | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/backend/src/app.js b/backend/src/app.js
index a372ff5..a7967aa 100644
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -15,8 +15,11 @@ const PORT = process.env.PORT || 3000;
 // Security middleware
 app.use(helmet());
 
-// Dynamic CORS configuration (will be updated from settings)
-// Allow multiple origins for development and production
+// Dynamic CORS configuration
+// Development: Allow ALL origins (no restrictions)
+// Production: Whitelist specific domains
+const isDevelopment = process.env.NODE_ENV !== 'production';
+
 const getAllowedOrigins = () => {
   const origins = [
     process.env.FRONTEND_URL || 'http://localhost:4173', // Production default
@@ -37,13 +40,21 @@ const getAllowedOrigins = () => {
 
 let corsOptions = {
   origin: (origin, callback) => {
+    // Development mode: Allow ALL origins
+    if (isDevelopment) {
+      callback(null, true);
+      return;
+    }
+
+    // Production mode: Check whitelist
     const allowedOrigins = getAllowedOrigins();
     // Allow requests with no origin (like mobile apps or curl requests)
     if (!origin || allowedOrigins.includes(origin)) {
       callback(null, true);
     } else {
-      logger.warn(`CORS blocked origin: ${origin}`);
-      callback(null, true); // Allow anyway in production (more permissive)
+      logger.warn(`CORS blocked origin: ${origin} (not in whitelist)`);
+      // For now, allow anyway (you can change to callback(new Error('Not allowed by CORS')) for strict mode)
+      callback(null, true);
     }
   },
   credentials: true,
@@ -66,7 +77,11 @@ const updateCorsFromSettings = async () => {
       logger.info(`CORS settings loaded from database: ${frontendUrlSetting.value}`);
     }
     
-    logger.info(`CORS allowed origins: ${getAllowedOrigins().join(', ')}`);
+    if (isDevelopment) {
+      logger.info('🔓 CORS: Development mode - ALL origins allowed');
+    } else {
+      logger.info(`🔒 CORS: Production mode - Whitelist: ${getAllowedOrigins().join(', ')}`);
+    }
   } catch (error) {
     logger.warn('Could not load CORS settings from database, using defaults');
   }