github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow all origins by default, restrict only when ALLOWED_ORIGINS is set

Browse Source 
Same-origin requests don't need CORS restrictions. Users can optionally
set ALLOWED_ORIGINS to lock it down.
This commit is contained in:
Maurice
2026-03-19 00:13:23 +01:00
parent c6a9b54662
commit 8601370a47
2 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docker-compose.yml
View File

@@ -7,7 +7,7 @@ services:
environment: environment:
- NODE_ENV=production - NODE_ENV=production
- JWT_SECRET=${JWT_SECRET:-change-me-to-a-long-random-string} - JWT_SECRET=${JWT_SECRET:-change-me-to-a-long-random-string}
- ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-http://localhost:3000} # - ALLOWED_ORIGINS=https://yourdomain.com # Optional: restrict CORS to specific origins
- PORT=3000 - PORT=3000
volumes: volumes:
- ./data:/app/data - ./data:/app/data

12
server/src/index.js
View File

@@ -21,12 +21,14 @@ const tmpDir = path.join(__dirname, '../data/tmp');
// Middleware // Middleware
const allowedOrigins = process.env.ALLOWED_ORIGINS const allowedOrigins = process.env.ALLOWED_ORIGINS
? process.env.ALLOWED_ORIGINS.split(',') ? process.env.ALLOWED_ORIGINS.split(',')
: ['http://localhost:5173', 'http://localhost:3000']; : null;
app.use(cors({ app.use(cors({
origin: (origin, callback) => { origin: allowedOrigins
if (!origin || allowedOrigins.includes(origin)) callback(null, true); ? (origin, callback) => {
else callback(new Error('Not allowed by CORS')); if (!origin || allowedOrigins.includes(origin)) callback(null, true);
}, else callback(new Error('Not allowed by CORS'));
}
: true,
credentials: true credentials: true
})); }));
app.use(express.json()); app.use(express.json());