cors

2025-11-11 04:58:38 +03:00
parent 6a0d9169ed
commit 686556c7dd
1 changed files with 34 additions and 6 deletions
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -16,9 +16,39 @@ const PORT = process.env.PORT || 3000;
 app.use(helmet());

 // Dynamic CORS configuration (will be updated from settings)
+// Allow multiple origins for development and production
+const getAllowedOrigins = () => {
+  const origins = [
+    process.env.FRONTEND_URL || 'http://localhost:4173', // Production default
+    'http://localhost:5173', // Vite dev server
+    'http://localhost:4173', // Vite preview / serve
+    'http://127.0.0.1:5173',
+    'http://127.0.0.1:4173',
+  ];
+  
+  // Add public IP if available
+  if (process.env.DOMAIN_URL) {
+    const publicDomain = process.env.DOMAIN_URL.replace(':3000', ':4173');
+    origins.push(publicDomain);
+  }
+  
+  return origins;
+};
+
 let corsOptions = {
-  origin: process.env.FRONTEND_URL || 'http://localhost:5173',
+  origin: (origin, callback) => {
+    const allowedOrigins = getAllowedOrigins();
+    // Allow requests with no origin (like mobile apps or curl requests)
+    if (!origin || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      logger.warn(`CORS blocked origin: ${origin}`);
+      callback(null, true); // Allow anyway in production (more permissive)
+    }
+  },
  credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization'],
 };

 app.use((req, res, next) => {
@@ -33,12 +63,10 @@ const updateCorsFromSettings = async () => {
    const frontendUrlSetting = await Settings.findOne({ where: { key: 'frontend_url' } });
    
    if (corsEnabledSetting && corsEnabledSetting.value === 'true' && frontendUrlSetting) {
-      corsOptions.origin = frontendUrlSetting.value;
-      logger.info(`CORS enabled for: ${frontendUrlSetting.value}`);
-    } else {
-      // Default: allow both frontend and backend on same origin
-      corsOptions.origin = process.env.FRONTEND_URL || 'http://localhost:5173';
+      logger.info(`CORS settings loaded from database: ${frontendUrlSetting.value}`);
    }
+    
+    logger.info(`CORS allowed origins: ${getAllowedOrigins().join(', ')}`);
  } catch (error) {
    logger.warn('Could not load CORS settings from database, using defaults');
  }