feat: update CORS configuration to support function-based origins and enhance logging

Thavarshan · Thavarshan · commit 2bed66f4af0a · 2025-11-19T09:02:32.000+05:30
diff --git a/src/app.ts b/src/app.ts
@@ -13,16 +13,26 @@ interface AppDeps {
   sessionController: SessionController;
   authController?: LocalAuthController;
   authService?: LocalAuthService;
-  corsOrigin?: string | string[] | boolean;
+  corsOrigin?:
+    | string
+    | string[]
+    | boolean
+    | ((origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => void);
   env?: AppEnv;
 }
 
 export function createApp(deps: AppDeps) {
   const app = express();
 
   // CORS configuration
-  // Note: When credentials: true, origin cannot be '*' - must be explicit
-  const corsOrigin = deps.corsOrigin ?? true; // 'true' reflects the request origin
+  // When credentials: true, origin cannot be '*' - must be explicit or dynamic
+  // Use a function to dynamically reflect the requesting origin
+  const corsOrigin = deps.corsOrigin
+    ? deps.corsOrigin
+    : (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
+        // Reflect any origin when CORS_ORIGIN not set
+        callback(null, true);
+      };
 
   app.use(
     cors({
diff --git a/src/config/env.ts b/src/config/env.ts
@@ -20,7 +20,10 @@ const EnvSchema = z.object({
 });
 
 export type AppEnv = z.infer<typeof EnvSchema> & {
-  corsOrigin: string | string[] | boolean;
+  corsOrigin:
+    | string
+    | string[]
+    | ((origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => void);
 };
 
 export function loadEnv(): AppEnv {
@@ -30,12 +33,14 @@ export function loadEnv(): AppEnv {
   }
 
   // Parse CORS_ORIGIN - can be a comma-separated list or single origin
-  // If not set, use 'true' to reflect the request origin (allows all with credentials)
+  // If not set, use a function that allows all origins (for credentials support)
   const corsOrigin = parsed.data.CORS_ORIGIN
     ? parsed.data.CORS_ORIGIN.includes(',')
       ? parsed.data.CORS_ORIGIN.split(',').map((origin) => origin.trim())
       : parsed.data.CORS_ORIGIN
-    : true;
+    : ((_origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
+        callback(null, true);
+      });
 
   return {
     ...parsed.data,
diff --git a/src/server.ts b/src/server.ts
@@ -41,6 +41,15 @@ async function bootstrap() {
     env,
   });
 
+  // Log CORS configuration
+  if (typeof env.corsOrigin === 'string') {
+    console.log(`CORS enabled for origin: ${env.corsOrigin}`);
+  } else if (Array.isArray(env.corsOrigin)) {
+    console.log(`CORS enabled for origins: ${env.corsOrigin.join(', ')}`);
+  } else {
+    console.log('CORS enabled for all origins (dynamic reflection)');
+  }
+
   app.listen(env.PORT, () => {
     console.log(`Auralyze API listening on port ${env.PORT}`);
   });
