Skip to content

Commit 9b13da5

Browse files
ThavarshanThavarshan
committed
feat: enhance CORS configuration to support boolean values and update environment variable documentation
1 parent 1a2dbbf commit 9b13da5

3 files changed

Lines changed: 27 additions & 19 deletions

File tree

README.md

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -32,21 +32,21 @@ npx prisma generate
3232

3333
## Environment variables
3434

35-
| Variable | Description |
36-
| ------------------------------------------------------- | ----------------------------------------------------------------------------------------- |
37-
| `PORT` | HTTP port (default 4001) |
38-
| `DATABASE_URL` | PostgreSQL connection string (e.g., `postgresql://user:pass@localhost:5432/auralyze_api`) |
39-
| `CORS_ORIGIN` | Allowed origins for CORS (e.g., `http://localhost:3000` or comma-separated list) |
40-
| `CERBERUS_BASE_URL` | Cerberus IAM host (e.g., `https://cerberus.example.com`) |
41-
| `CERBERUS_CLIENT_ID` | OAuth2 client ID used for token introspection |
42-
| `CERBERUS_CLIENT_SECRET` | OAuth2 client secret used for token introspection |
43-
| `JWT_SECRET` | Optional local fallback; enables Bearer JWT auth when Cerberus is unavailable |
44-
| `METADATA_SERVICE_URL` / `ANALYSIS_SERVICE_URL` | External services when not using stubs |
45-
| `METADATA_SERVICE_API_KEY` / `ANALYSIS_SERVICE_API_KEY` | Shared secrets passed via `x-api-key` for the respective microservices |
46-
| `FEEDBACK_SERVICE_URL` / `FEEDBACK_SERVICE_API_KEY` | Required when `FEEDBACK_MODE=service` |
47-
| `FEEDBACK_MODE` | `openai`, `stub`, or `service` |
48-
| `OPENAI_API_KEY` | Required when `FEEDBACK_MODE=openai` |
49-
| `USE_STUB_CLIENTS` | Force stub clients even if service URLs provided |
35+
| Variable | Description |
36+
| ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
37+
| `PORT` | HTTP port (default 4001) |
38+
| `DATABASE_URL` | PostgreSQL connection string (e.g., `postgresql://user:pass@localhost:5432/auralyze_api`) |
39+
| `CORS_ORIGIN` | Allowed origins for CORS (e.g., `https://app.example.com` or comma-separated list). If not set, reflects the request origin (allows all origins with credentials) |
40+
| `CERBERUS_BASE_URL` | Cerberus IAM host (e.g., `https://cerberus.example.com`) |
41+
| `CERBERUS_CLIENT_ID` | OAuth2 client ID used for token introspection |
42+
| `CERBERUS_CLIENT_SECRET` | OAuth2 client secret used for token introspection |
43+
| `JWT_SECRET` | Optional local fallback; enables Bearer JWT auth when Cerberus is unavailable |
44+
| `METADATA_SERVICE_URL` / `ANALYSIS_SERVICE_URL` | External services when not using stubs |
45+
| `METADATA_SERVICE_API_KEY` / `ANALYSIS_SERVICE_API_KEY` | Shared secrets passed via `x-api-key` for the respective microservices |
46+
| `FEEDBACK_SERVICE_URL` / `FEEDBACK_SERVICE_API_KEY` | Required when `FEEDBACK_MODE=service` |
47+
| `FEEDBACK_MODE` | `openai`, `stub`, or `service` |
48+
| `OPENAI_API_KEY` | Required when `FEEDBACK_MODE=openai` |
49+
| `USE_STUB_CLIENTS` | Force stub clients even if service URLs provided |
5050

5151
## Scripts
5252

src/app.ts

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,16 +13,20 @@ interface AppDeps {
1313
sessionController: SessionController;
1414
authController?: LocalAuthController;
1515
authService?: LocalAuthService;
16-
corsOrigin?: string | string[];
16+
corsOrigin?: string | string[] | boolean;
1717
env?: AppEnv;
1818
}
1919

2020
export function createApp(deps: AppDeps) {
2121
const app = express();
2222

23+
// CORS configuration
24+
// Note: When credentials: true, origin cannot be '*' - must be explicit
25+
const corsOrigin = deps.corsOrigin ?? true; // 'true' reflects the request origin
26+
2327
app.use(
2428
cors({
25-
origin: deps.corsOrigin ?? '*',
29+
origin: corsOrigin,
2630
credentials: true,
2731
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
2832
allowedHeaders: ['Content-Type', 'Authorization', 'Cookie'],

src/config/env.ts

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ const EnvSchema = z.object({
55
PORT: z.coerce.number().default(4001),
66
DATABASE_URL: z.string().url().or(z.string().startsWith('file:')),
77
JWT_SECRET: z.string().min(32),
8+
// CORS_ORIGIN: Optional - comma-separated list or single origin
9+
// If not set, API will reflect the request origin (allows all origins with credentials)
10+
// For production, recommended to set explicitly for security
811
CORS_ORIGIN: z.string().optional(),
912
METADATA_SERVICE_URL: z.string().url().optional(),
1013
METADATA_SERVICE_API_KEY: z.string().optional(),
@@ -17,7 +20,7 @@ const EnvSchema = z.object({
1720
});
1821

1922
export type AppEnv = z.infer<typeof EnvSchema> & {
20-
corsOrigin: string | string[];
23+
corsOrigin: string | string[] | boolean;
2124
};
2225

2326
export function loadEnv(): AppEnv {
@@ -27,11 +30,12 @@ export function loadEnv(): AppEnv {
2730
}
2831

2932
// Parse CORS_ORIGIN - can be a comma-separated list or single origin
33+
// If not set, use 'true' to reflect the request origin (allows all with credentials)
3034
const corsOrigin = parsed.data.CORS_ORIGIN
3135
? parsed.data.CORS_ORIGIN.includes(',')
3236
? parsed.data.CORS_ORIGIN.split(',').map((origin) => origin.trim())
3337
: parsed.data.CORS_ORIGIN
34-
: '*';
38+
: true;
3539

3640
return {
3741
...parsed.data,

0 commit comments

Comments
 (0)