feat(cors): add CORS support with configurable allowed origins

n3rdc4ptn · n3rdc4ptn · commit 7e91e6ad31bd · 2025-11-07T13:51:39.000+01:00
diff --git a/.env.template b/.env.template
@@ -32,3 +32,7 @@ FEEDBACK_URL_LINK=
 
 # frame-ancestors attribute of CSP. Separate multiple values with a space
 FRAME_ANCESTORS=
+
+# Allowed CORS origins (comma-separated). Example: https://app.example.com,https://admin.example.com
+# Leave empty to use POST_LOGIN_REDIRECT as the default allowed origin
+ALLOWED_CORS_ORIGINS=
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -28,6 +28,7 @@
     "@apollo/client": "3.14.0",
     "@fastify/autoload": "6.3.1",
     "@fastify/cookie": "11.0.2",
+    "@fastify/cors": "^11.1.0",
     "@fastify/env": "5.0.3",
     "@fastify/helmet": "13.0.2",
     "@fastify/http-proxy": "11.3.0",
diff --git a/server.ts b/server.ts
@@ -1,5 +1,6 @@
 import Fastify from 'fastify';
 import FastifyVite from '@fastify/vite';
+import cors from '@fastify/cors';
 import helmet from '@fastify/helmet';
 import { fileURLToPath } from 'node:url';
 import path from 'node:path';
@@ -65,6 +66,29 @@ const fastify = Fastify({
   logger: true,
 });
 
+fastify.register(cors, {
+  origin: isLocalDev
+    ? true // Allow all origins in local development
+    : (origin, callback) => {
+        // In production, validate against allowed origins
+        // @ts-ignore
+        const allowedOrigins = fastify.config.ALLOWED_CORS_ORIGINS
+          ? // @ts-ignore
+            fastify.config.ALLOWED_CORS_ORIGINS.split(',').map((o) => o.trim())
+          : // @ts-ignore
+            [fastify.config.POST_LOGIN_REDIRECT]; // Fallback to POST_LOGIN_REDIRECT
+
+        console.log('Allowed Origin:', allowedOrigins, !origin || allowedOrigins.includes(origin));
+        if (!origin || allowedOrigins.includes(origin)) {
+          callback(null, true);
+        } else {
+          callback(new Error(`Origin ${origin} not allowed by CORS policy`), false);
+        }
+      },
+  methods: ['GET', 'HEAD', 'POST', 'PATCH', 'DELETE'],
+  credentials: true, // Required for cookie-based sessions
+});
+
 Sentry.setupFastifyErrorHandler(fastify);
 await fastify.register(envPlugin);
 
diff --git a/server/config/env.ts b/server/config/env.ts
@@ -29,6 +29,7 @@ const schema = {
     FEEDBACK_SLACK_URL: { type: 'string' },
     FEEDBACK_URL_LINK: { type: 'string' },
     FRAME_ANCESTORS: { type: 'string' },
+    ALLOWED_CORS_ORIGINS: { type: 'string' },
     BFF_SENTRY_DSN: { type: 'string' },
     FRONTEND_SENTRY_DSN: { type: 'string' },
     FRONTEND_SENTRY_ENVIRONMENT: { type: 'string' },
