Merge pull request #134 from prismaymedia/feature/cors-restrictive-whitelist

prismaymedia · web-flow · commit 470c2dcc43b1 · 2025-11-21T14:52:26.000-05:00
diff --git a/server/src/config/cors.config.ts b/server/src/config/cors.config.ts
@@ -0,0 +1,26 @@
+import { CorsOptions } from '@nestjs/common/interfaces/external/cors-options.interface';
+
+const defaultOrigins = [
+  'http://localhost:5173',
+  'https://prismaymedia.github.io',
+  'https://linkfy-app.vercel.app',
+  'chrome-extension://mefdblccfmhfhhcgeckmcicgfnfgolpf',
+];
+
+const whitelist = process.env.ALLOWED_ORIGINS
+  ? process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim())
+  : defaultOrigins;
+
+export const corsConfig: CorsOptions = {
+  origin: (origin, callback) => {
+    if (!origin || whitelist.includes(origin)) {
+      callback(null, true);
+    } else {
+      callback(null, false);
+    }
+  },
+  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+  credentials: true,
+  allowedHeaders: ['Content-Type', 'Authorization', 'Accept', 'sentry-trace', 'baggage'],
+  exposedHeaders: ['Authorization'],
+};
diff --git a/server/src/main.ts b/server/src/main.ts
@@ -13,34 +13,13 @@ import {
   ExceptionFilter,
   Logger,
 } from '@nestjs/common';
-import cors from 'cors';
+import { corsConfig } from './config/cors.config';
 
 async function bootstrap() {
   const app = await NestFactory.create(AppModule);
   const logger = new Logger('Bootstrap');
 
-  app.use(
-    cors({
-      origin: process.env.ALLOWED_ORIGINS
-        ? process.env.ALLOWED_ORIGINS.split(',')
-        : [
-          'http://localhost:5173',
-          'https://prismaymedia.github.io',
-          'https://linkfy-app.vercel.app',
-          'chrome-extension://mefdblccfmhfhhcgeckmcicgfnfgolpf',
-        ],
-      credentials: true,
-      allowedHeaders: [
-        'Content-Type',
-        'Authorization',
-        'Accept',
-        'sentry-trace',
-        'baggage',
-      ],
-      exposedHeaders: ['Authorization'],
-      methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
-    }),
-  );
+  app.enableCors(corsConfig);
 
   app.use(json());
   app.use(urlencoded({ extended: false }));
