From dd9383621bfdece9fe118fbc5f4093a3d0b3ed73 Mon Sep 17 00:00:00 2001
From: airslice <icesunex@hotmail.com>
Date: Wed, 8 Oct 2025 12:53:07 +0800
Subject: [PATCH] refactor: enhance CORS configuration for better origin
 handling

---
 server/api/assets/upload.ts | 17 ++++++++++++++++-
 server/api/photographs.ts   | 17 ++++++++++++++++-
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/server/api/assets/upload.ts b/server/api/assets/upload.ts
index b806da9..bdce65b 100644
--- a/server/api/assets/upload.ts
+++ b/server/api/assets/upload.ts
@@ -8,9 +8,24 @@ import { sendSuccess, sendError } from "../../src/utils/response.js";
 
 // CORS configuration
 const corsOptions = {
-  origin: process.env.CORS_ORIGIN || "*",
+  origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
+    const corsOrigin = process.env.CORS_ORIGIN;
+    if (!corsOrigin) {
+      callback(null, true);
+      return;
+    }
+    
+    const allowedOrigins = corsOrigin.split(',').map(o => o.trim());
+    
+    if (!origin || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      callback(new Error("Not allowed by CORS"));
+    }
+  },
   methods: ["POST", "OPTIONS"],
   allowedHeaders: ["Content-Type", "Authorization"],
+  credentials: true,
 };
 
 // Apply CORS middleware
diff --git a/server/api/photographs.ts b/server/api/photographs.ts
index 5b8f815..defc3ca 100644
--- a/server/api/photographs.ts
+++ b/server/api/photographs.ts
@@ -9,9 +9,24 @@ import { validateRequest, PhotographSchema } from "../src/utils/validation.js";
 
 // CORS configuration
 const corsOptions = {
-  origin: process.env.CORS_ORIGIN || "*",
+  origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
+    const corsOrigin = process.env.CORS_ORIGIN;
+    if (!corsOrigin) {
+      callback(null, true);
+      return;
+    }
+    
+    const allowedOrigins = corsOrigin.split(',').map(o => o.trim());
+    
+    if (!origin || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      callback(new Error("Not allowed by CORS"));
+    }
+  },
   methods: ["GET", "POST", "OPTIONS"],
   allowedHeaders: ["Content-Type", "Authorization"],
+  credentials: true,
 };
 
 // Apply CORS middleware