kennethnym/aris
1
0
Fork 0
mirror of https://github.com/kennethnym/aris.git synced 2026-03-24 11:01:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: gate permissive CORS to dev only

Browse Source 
In production, only origins listed in CORS_ORIGINS env
var are allowed. In dev, any origin is reflected back.

Co-authored-by: Ona <no-reply@ona.com>
This commit is contained in:
Kenneth
2026-03-23 00:31:06 +00:00
parent 09ad98990c
commit 464cbe4fa3
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
apps/aelis-backend/src/server.ts
View File

@@ -51,10 +51,18 @@ function main() {
const app = new Hono() const app = new Hono()
const isDev = process.env.NODE_ENV !== "production"
const allowedOrigins = process.env.CORS_ORIGINS?.split(",").map((o) => o.trim()) ?? []
function resolveOrigin(origin: string): string | undefined {
if (isDev) return origin
return allowedOrigins.includes(origin) ? origin : undefined
}
app.use( app.use(
"/api/auth/*", "/api/auth/*",
cors({ cors({
origin: (origin) => origin, origin: resolveOrigin,
allowHeaders: ["Content-Type", "Authorization"], allowHeaders: ["Content-Type", "Authorization"],
allowMethods: ["POST", "GET", "OPTIONS"], allowMethods: ["POST", "GET", "OPTIONS"],
exposeHeaders: ["Content-Length"], exposeHeaders: ["Content-Length"],
@@ -66,7 +74,7 @@ function main() {
app.use( app.use(
"*", "*",
cors({ cors({
origin: (origin) => origin, origin: resolveOrigin,
credentials: true, credentials: true,
}), }),
) )