From 464cbe4fa30aa5deba3a857a34cfe8a05a8e104a Mon Sep 17 00:00:00 2001
From: kenneth <kenneth@nym.sh>
Date: Mon, 23 Mar 2026 00:31:06 +0000
Subject: [PATCH] fix: gate permissive CORS to dev only

In production, only origins listed in CORS_ORIGINS env
var are allowed. In dev, any origin is reflected back.

Co-authored-by: Ona <no-reply@ona.com>
---
 apps/aelis-backend/src/server.ts | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/apps/aelis-backend/src/server.ts b/apps/aelis-backend/src/server.ts
index 9680b04..300cb96 100644
--- a/apps/aelis-backend/src/server.ts
+++ b/apps/aelis-backend/src/server.ts
@@ -51,10 +51,18 @@ function main() {
 
 	const app = new Hono()
 
+	const isDev = process.env.NODE_ENV !== "production"
+	const allowedOrigins = process.env.CORS_ORIGINS?.split(",").map((o) => o.trim()) ?? []
+
+	function resolveOrigin(origin: string): string | undefined {
+		if (isDev) return origin
+		return allowedOrigins.includes(origin) ? origin : undefined
+	}
+
 	app.use(
 		"/api/auth/*",
 		cors({
-			origin: (origin) => origin,
+			origin: resolveOrigin,
 			allowHeaders: ["Content-Type", "Authorization"],
 			allowMethods: ["POST", "GET", "OPTIONS"],
 			exposeHeaders: ["Content-Length"],
@@ -66,7 +74,7 @@ function main() {
 	app.use(
 		"*",
 		cors({
-			origin: (origin) => origin,
+			origin: resolveOrigin,
 			credentials: true,
 		}),
 	)