fix: gate permissive CORS to dev only

In production, only origins listed in CORS_ORIGINS env var are allowed. In dev, any origin is reflected back. Co-authored-by: Ona <no-reply@ona.com>
2026-03-23 18:41:17 +00:00 · 2026-03-23 00:31:06 +00:00
parent 09ad98990c
commit 464cbe4fa3
1 changed files with 10 additions and 2 deletions
--- a/apps/aelis-backend/src/server.ts
+++ b/apps/aelis-backend/src/server.ts
@@ -51,10 +51,18 @@ function main() {

 	const app = new Hono()

+	const isDev = process.env.NODE_ENV !== "production"
+	const allowedOrigins = process.env.CORS_ORIGINS?.split(",").map((o) => o.trim()) ?? []
+
+	function resolveOrigin(origin: string): string | undefined {
+		if (isDev) return origin
+		return allowedOrigins.includes(origin) ? origin : undefined
+	}
+
 	app.use(
 		"/api/auth/*",
 		cors({
-			origin: (origin) => origin,
+			origin: resolveOrigin,
 			allowHeaders: ["Content-Type", "Authorization"],
 			allowMethods: ["POST", "GET", "OPTIONS"],
 			exposeHeaders: ["Content-Length"],
@@ -66,7 +74,7 @@ function main() {
 	app.use(
 		"*",
 		cors({
-			origin: (origin) => origin,
+			origin: resolveOrigin,
 			credentials: true,
 		}),
 	)