fix(api): implement production-ready cors in error handler

fulleni · fulleni · commit 156b6ff2d4ec · 2025-07-14T06:53:48.000+01:00
The errorHandler middleware was not adding CORS headers to error
responses in a production-ready way. This caused browsers to block
client-side applications from reading the response body, resulting in
generic network errors instead of specific API error messages.

This change refactors the errorHandler to use an environment-aware
helper function. It now checks for a `CORS_ALLOWED_ORIGIN` environment
variable for production and falls back to allowing any `localhost`
origin for development. This aligns the error response behavior with
the main CORS middleware and the project's documentation, fixing the bug.
diff --git a/lib/src/config/environment_config.dart b/lib/src/config/environment_config.dart
@@ -79,4 +79,11 @@ abstract final class EnvironmentConfig {
   /// The value is read from the `ENV` environment variable.
   /// Defaults to 'production' if the variable is not set.
   static String get environment => _env['ENV'] ?? 'production';
+
+  /// Retrieves the allowed CORS origin from the environment.
+  ///
+  /// The value is read from the `CORS_ALLOWED_ORIGIN` environment variable.
+  /// This is used to configure CORS for production environments.
+  /// Returns `null` if the variable is not set.
+  static String? get corsAllowedOrigin => _env['CORS_ALLOWED_ORIGIN'];
 }
diff --git a/lib/src/middlewares/error_handler.dart b/lib/src/middlewares/error_handler.dart
@@ -4,6 +4,7 @@
 import 'dart:io';
 
 import 'package:dart_frog/dart_frog.dart';
+import 'package:ht_api/src/config/environment_config.dart';
 import 'package:ht_shared/ht_shared.dart';
 import 'package:json_annotation/json_annotation.dart';
 
@@ -108,15 +109,24 @@ Response _jsonErrorResponse({
     HttpHeaders.contentTypeHeader: 'application/json',
   };
 
-  // Add CORS headers to error responses to allow the client to read them.
-  // This logic mirrors the behavior of `shelf_cors_headers` for development.
-  final origin = context.request.headers['Origin'];
-  if (origin != null) {
-    // A simple check for localhost development environments.
-    // For production, this should be a more robust check against a list
-    // of allowed origins from environment variables.
-    if (Uri.tryParse(origin)?.host == 'localhost') {
-      headers[HttpHeaders.accessControlAllowOriginHeader] = origin;
+  // Add CORS headers to error responses. This logic is environment-aware.
+  // In production, it uses a specific origin from `CORS_ALLOWED_ORIGIN`.
+  // In development (if the variable is not set), it allows any localhost.
+  final requestOrigin = context.request.headers['Origin'];
+  if (requestOrigin != null) {
+    final allowedOrigin = EnvironmentConfig.corsAllowedOrigin;
+
+    var isOriginAllowed = false;
+    if (allowedOrigin != null) {
+      // Production: Check against the specific allowed origin.
+      isOriginAllowed = (requestOrigin == allowedOrigin);
+    } else {
+      // Development: Allow any localhost origin.
+      isOriginAllowed = (Uri.tryParse(requestOrigin)?.host == 'localhost');
+    }
+
+    if (isOriginAllowed) {
+      headers[HttpHeaders.accessControlAllowOriginHeader] = requestOrigin;
       headers[HttpHeaders.accessControlAllowMethodsHeader] =
           'GET, POST, PUT, DELETE, OPTIONS';
       headers[HttpHeaders.accessControlAllowHeadersHeader] =
