fix(cors): normalize self-hosted origin matching

Normalize CLIENT_URL and CHECKOUT_BASE_URL to strict HTTP(S) origins, reuse dashboard origin checks in API auth middleware, and harden origin unit tests for env restoration and malformed values.

Author: ramadanomar

server/src/middleware/apiAuthMiddleware.ts

@@ -1,6 +1,6 @@
 import { AuthType, ErrCode } from "@autumn/shared";
 import { verifyKey } from "@/internal/dev/api-keys/apiKeyUtils.js";
-import { dashboardOrigins } from "@/utils/constants.js";
+import { isDashboardOrigin } from "@/utils/constants.js";
 import RecaseError from "@/utils/errorUtils.js";
 import { withOrgAuth } from "./authMiddleware.js";
 import { verifyBearerPublishableKey } from "./publicAuthMiddleware.js";
@@ -15,7 +15,7 @@ const verifySecretKey = async (req: any, res: any, next: any) => {
 
 	if (!authHeader || !authHeader.startsWith("Bearer ")) {
 		const origin = req.get("origin");
-		if (dashboardOrigins.includes(origin)) {
+		if (isDashboardOrigin({ origin })) {
 			return withOrgAuth(req, res, next);
 		} else {
 			throw new RecaseError({
@@ -100,7 +100,7 @@ export const apiAuthMiddleware = async (req: any, res: any, next: any) => {
 	} catch (error: any) {
 		if (error instanceof RecaseError) {
 			if (error.code === ErrCode.InvalidSecretKey) {
-				const apiKey = req.headers["authorization"]?.split(" ")[1];
+				const apiKey = req.headers.authorization?.split(" ")[1];
 				error.message = `Invalid secret key: ${maskApiKey(apiKey)}`;
 			}
 

server/src/utils/constants.ts

@@ -1,5 +1,6 @@
 import "dotenv/config";
 import { CusProductStatus } from "@autumn/shared";
+import { getClientOrigin } from "./corsOrigins.js";
 
 const BREAK_API_VERSION = 0.2;
 
@@ -20,14 +21,29 @@ export const ADMIN_USER_IDs = [
 	"K7NDwSwohMCV9BXJ3Yb5MxgeXhWcwj0L", // charlie sandbox
 ];
 
-export const dashboardOrigins = [
+const DEFAULT_DASHBOARD_ORIGINS = [
 	"http://localhost:3000",
 	"https://app.useautumn.com",
 	"https://staging.useautumn.com",
 	"https://dev.useautumn.com",
-	process.env.CLIENT_URL!,
 ];
 
+export const getDashboardOrigins = (): string[] => {
+	const clientOrigin = getClientOrigin();
+	const origins = [...DEFAULT_DASHBOARD_ORIGINS];
+	if (clientOrigin) {
+		origins.push(clientOrigin);
+	}
+
+	return [...new Set(origins)];
+};
+
+export const isDashboardOrigin = ({ origin }: { origin?: string }) => {
+	if (!origin) return false;
+
+	return getDashboardOrigins().includes(origin);
+};
+
 export const WEBHOOK_EVENTS = [
 	"checkout.session.completed",
 	"customer.subscription.created",

server/src/utils/corsOrigins.ts

@@ -18,21 +18,32 @@ export const ALLOWED_ORIGINS = [
 
 const toOrigin = ({ url }: { url?: string }): string | undefined => {
 	if (!url) return undefined;
+	const trimmedUrl = url.trim();
+	if (!trimmedUrl) return undefined;
 
 	try {
-		return new URL(url).origin;
+		const parsedUrl = new URL(trimmedUrl);
+		if (!["http:", "https:"].includes(parsedUrl.protocol)) return undefined;
+		return parsedUrl.origin;
 	} catch {
 		return undefined;
 	}
 };
 
+export const getClientOrigin = (): string | undefined => {
+	return toOrigin({ url: process.env.CLIENT_URL });
+};
+
+export const getCheckoutBaseOrigin = (): string | undefined => {
+	return toOrigin({ url: process.env.CHECKOUT_BASE_URL });
+};
+
 export const getSelfHostedOrigins = (): string[] => {
-	const origins = [
-		toOrigin({ url: process.env.CLIENT_URL }),
-		toOrigin({ url: process.env.CHECKOUT_BASE_URL }),
-	];
+	const origins = [getClientOrigin(), getCheckoutBaseOrigin()];
 
-	return origins.filter((origin): origin is string => Boolean(origin));
+	return [
+		...new Set(origins.filter((origin): origin is string => Boolean(origin))),
+	];
 };
 
 /** Allow any localhost origin in dev for multi-worktree support */

server/tests/unit/corsOrigins.test.ts

@@ -1,15 +1,33 @@
 import { afterEach, describe, expect, test } from "bun:test";
 import { ALLOWED_ORIGINS, isAllowedOrigin } from "@/utils/corsOrigins.js";
 
+const restoreEnvVar = ({
+	key,
+	value,
+}: {
+	key: "NODE_ENV" | "CLIENT_URL" | "CHECKOUT_BASE_URL";
+	value: string | undefined;
+}) => {
+	if (value === undefined) {
+		delete process.env[key];
+		return;
+	}
+
+	process.env[key] = value;
+};
+
 describe("isAllowedOrigin", () => {
 	const originalNodeEnv = process.env.NODE_ENV;
 	const originalClientUrl = process.env.CLIENT_URL;
 	const originalCheckoutBaseUrl = process.env.CHECKOUT_BASE_URL;
 
 	afterEach(() => {
-		process.env.NODE_ENV = originalNodeEnv;
-		process.env.CLIENT_URL = originalClientUrl;
-		process.env.CHECKOUT_BASE_URL = originalCheckoutBaseUrl;
+		restoreEnvVar({ key: "NODE_ENV", value: originalNodeEnv });
+		restoreEnvVar({ key: "CLIENT_URL", value: originalClientUrl });
+		restoreEnvVar({
+			key: "CHECKOUT_BASE_URL",
+			value: originalCheckoutBaseUrl,
+		});
 	});
 
 	describe("production", () => {
@@ -96,6 +114,14 @@ describe("isAllowedOrigin", () => {
 			).toBe("https://autumn-checkout-production.up.railway.app");
 		});
 
+		test("trims whitespace around self-hosted env URLs", () => {
+			process.env.NODE_ENV = "production";
+			process.env.CLIENT_URL = "  https://dashboard.mycompany.com/app/  ";
+			expect(isAllowedOrigin("https://dashboard.mycompany.com")).toBe(
+				"https://dashboard.mycompany.com",
+			);
+		});
+
 		test("allows CHECKOUT_BASE_URL origin when URL has path", () => {
 			process.env.NODE_ENV = "production";
 			process.env.CHECKOUT_BASE_URL =
@@ -137,6 +163,15 @@ describe("isAllowedOrigin", () => {
 			).toBeUndefined();
 		});
 
+		test("ignores non-http protocols in self-hosted env URLs", () => {
+			process.env.NODE_ENV = "production";
+			process.env.CLIENT_URL = "ftp://dashboard.mycompany.com";
+
+			expect(
+				isAllowedOrigin("https://dashboard.mycompany.com"),
+			).toBeUndefined();
+		});
+
 		test("rejects custom domains when env URLs are unset", () => {
 			process.env.NODE_ENV = "production";
 			delete process.env.CLIENT_URL;