fix: Support multiple CORS origins via comma-separated BASE_URL

Closes #1344
2025-12-24 09:15:01 +03:00 · 2025-09-15 19:38:31 +02:00
parent 98f537c2bc
commit 230b31914c
2 changed files with 10 additions and 9 deletions
--- a/server/config/custom.js
+++ b/server/config/custom.js
@@ -27,7 +27,8 @@ const envToBytes = (value) => bytes(value);

 const envToArray = (value) => (value ? value.split(',') : []);

-const parsedBasedUrl = new URL(process.env.BASE_URL);
+const baseUrl = envToArray(process.env.BASE_URL)[0];
+const parsedBasedUrl = new URL(baseUrl);

 module.exports.custom = {
  /**
@@ -38,7 +39,7 @@ module.exports.custom = {

  version,

-  baseUrl: process.env.BASE_URL,
+  baseUrl,
  baseUrlPath: parsedBasedUrl.pathname,
  baseUrlSecure: parsedBasedUrl.protocol === 'https:',

@@ -94,7 +95,7 @@ module.exports.custom = {

  // TODO: move client base url to environment variable?
  oidcRedirectUri: `${
-    sails.config.environment === 'production' ? process.env.BASE_URL : 'http://localhost:3000'
+    sails.config.environment === 'production' ? baseUrl : 'http://localhost:3000'
  }/oidc-callback`,

  smtpHost: process.env.SMTP_HOST,
--- a/server/config/env/production.js
+++ b/server/config/env/production.js
@@ -23,7 +23,7 @@ const { URL } = require('url');

 const { customLogger } = require('../../utils/logger');

-const parsedBasedUrl = new URL(process.env.BASE_URL);
+const origins = process.env.BASE_URL.split(',').map((baseUrl) => new URL(baseUrl).origin);

 module.exports = {
  /**
@@ -133,10 +133,10 @@ module.exports = {
     */

    cors: {
-      allRoutes: false,
-      allowOrigins: '*',
-      allowRequestHeaders: 'content-type',
-      allowCredentials: false,
+      allRoutes: true,
+      allowOrigins: origins.slice(1),
+      allowRequestHeaders: ['Authorization'],
+      allowCredentials: true,
    },
  },

@@ -221,7 +221,7 @@ module.exports = {
     *
     */

-    onlyAllowOrigins: [parsedBasedUrl.origin],
+    onlyAllowOrigins: origins,

    /**
     *