feat: simplify CORS origin handling and update environment variable type

Thavarshan · Thavarshan · commit 2d36288cb182 · 2025-11-19T09:12:20.000+05:30
diff --git a/src/app.ts b/src/app.ts
@@ -13,30 +13,16 @@ interface AppDeps {
   sessionController: SessionController;
   authController?: LocalAuthController;
   authService?: LocalAuthService;
-  corsOrigin?:
-    | string
-    | string[]
-    | boolean
-    | ((origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => void);
+  corsOrigin?: string | string[];
   env?: AppEnv;
 }
 
 export function createApp(deps: AppDeps) {
   const app = express();
 
-  // CORS configuration
-  // When credentials: true, origin cannot be '*' - must be explicit or dynamic
-  // Use a function to dynamically reflect the requesting origin
-  const corsOrigin = deps.corsOrigin
-    ? deps.corsOrigin
-    : (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
-        // Reflect any origin when CORS_ORIGIN not set
-        callback(null, true);
-      };
-
   app.use(
     cors({
-      origin: corsOrigin,
+      origin: deps.corsOrigin ?? '*',
       credentials: true,
       methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
       allowedHeaders: ['Content-Type', 'Authorization', 'Cookie'],
diff --git a/src/config/env.ts b/src/config/env.ts
@@ -20,10 +20,7 @@ const EnvSchema = z.object({
 });
 
 export type AppEnv = z.infer<typeof EnvSchema> & {
-  corsOrigin:
-    | string
-    | string[]
-    | ((origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => void);
+  corsOrigin: string | string[];
 };
 
 export function loadEnv(): AppEnv {
@@ -33,14 +30,11 @@ export function loadEnv(): AppEnv {
   }
 
   // Parse CORS_ORIGIN - can be a comma-separated list or single origin
-  // If not set, use a function that allows all origins (for credentials support)
   const corsOrigin = parsed.data.CORS_ORIGIN
     ? parsed.data.CORS_ORIGIN.includes(',')
       ? parsed.data.CORS_ORIGIN.split(',').map((origin) => origin.trim())
       : parsed.data.CORS_ORIGIN
-    : ((_origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
-        callback(null, true);
-      });
+    : '*';
 
   return {
     ...parsed.data,
