From 686556c7dd37e5fec1201972a56cb296202925b3 Mon Sep 17 00:00:00 2001
From: salvacybersec <salva@opsecti.local>
Date: Tue, 11 Nov 2025 04:58:38 +0300
Subject: [PATCH] cors

---
 backend/src/app.js | 40 ++++++++++++++++++++++++++++++++++------
 1 file changed, 34 insertions(+), 6 deletions(-)

diff --git a/backend/src/app.js b/backend/src/app.js
index 362d614..a372ff5 100644
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -16,9 +16,39 @@ const PORT = process.env.PORT || 3000;
 app.use(helmet());
 
 // Dynamic CORS configuration (will be updated from settings)
+// Allow multiple origins for development and production
+const getAllowedOrigins = () => {
+  const origins = [
+    process.env.FRONTEND_URL || 'http://localhost:4173', // Production default
+    'http://localhost:5173', // Vite dev server
+    'http://localhost:4173', // Vite preview / serve
+    'http://127.0.0.1:5173',
+    'http://127.0.0.1:4173',
+  ];
+  
+  // Add public IP if available
+  if (process.env.DOMAIN_URL) {
+    const publicDomain = process.env.DOMAIN_URL.replace(':3000', ':4173');
+    origins.push(publicDomain);
+  }
+  
+  return origins;
+};
+
 let corsOptions = {
-  origin: process.env.FRONTEND_URL || 'http://localhost:5173',
+  origin: (origin, callback) => {
+    const allowedOrigins = getAllowedOrigins();
+    // Allow requests with no origin (like mobile apps or curl requests)
+    if (!origin || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      logger.warn(`CORS blocked origin: ${origin}`);
+      callback(null, true); // Allow anyway in production (more permissive)
+    }
+  },
   credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization'],
 };
 
 app.use((req, res, next) => {
@@ -33,12 +63,10 @@ const updateCorsFromSettings = async () => {
     const frontendUrlSetting = await Settings.findOne({ where: { key: 'frontend_url' } });
     
     if (corsEnabledSetting && corsEnabledSetting.value === 'true' && frontendUrlSetting) {
-      corsOptions.origin = frontendUrlSetting.value;
-      logger.info(`CORS enabled for: ${frontendUrlSetting.value}`);
-    } else {
-      // Default: allow both frontend and backend on same origin
-      corsOptions.origin = process.env.FRONTEND_URL || 'http://localhost:5173';
+      logger.info(`CORS settings loaded from database: ${frontendUrlSetting.value}`);
     }
+    
+    logger.info(`CORS allowed origins: ${getAllowedOrigins().join(', ')}`);
   } catch (error) {
     logger.warn('Could not load CORS settings from database, using defaults');
   }