feat: support multiple origins for CORS

Dwigoric · Nov 14, 2023 · 716519b · 716519b
1 parent c201381
commit 716519b
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -18,9 +18,10 @@ The MongoDB URI to use for the application, defaults to `mongodb://localhost:270
 ### `JWT_SECRET`
 The secret to use for JWT. This is required for the application to run.
 If not set, the application will throw an error.
-### `FRONTEND_URL`
-The URL of the frontend application, defaults to `http://localhost:5173`.
+### `FRONTEND_URLS`
+The comma-separated list of URLs of the frontend application.
 This is used for CORS.
+If no value is set, the application will allow all origins.
 
 ## Private Files
 Put any private files in the `private` directory.

diff --git a/example.env b/example.env
@@ -1,4 +1,4 @@
 MONGODB_URI=
 JWT_SECRET=
-FRONTEND_URL=
+FRONTEND_URLS=
 PORT=
diff --git a/src/app.js b/src/app.js
@@ -1,7 +1,3 @@
-// Default FRONTEND_URL
-
-const DEFAULT_FRONTEND_URL = 'http://localhost:5173'
-
 // Packages
 import createError from 'http-errors'
 import express from 'express'
@@ -30,12 +26,12 @@ import settingsRouter from './routes/settings.js'
 const app = express()
 
 // Configure CORS
-if (!process.env.FRONTEND_URL)
-    console.warn(`FRONTEND_URL not set, using default: ${DEFAULT_FRONTEND_URL}`)
-
+const whitelist = []
+if (!process.env.FRONTEND_URL) console.warn('FRONTEND_URLS not set, allowing all origins')
+else whitelist.push(...process.env.FRONTEND_URL.split(','))
 app.use(
     cors({
-        origin: process.env.FRONTEND_URL || DEFAULT_FRONTEND_URL,
+        origin: (origin) => whitelist.length === 0 || whitelist.includes(origin),
         optionsSuccessStatus: 200
     })
 )