use CORS_ALLOW_ORIGINS instead of SERVER_ORIGIN, WEB_ORIGIN, WEB_ORIGIN_BUILD, and MOBILE_ORIGIN

aster-void · aster-void · commit 6c6aecb33bbb · 2024-11-08T14:15:26.000+09:00
diff --git a/server/.env.sample b/server/.env.sample
@@ -3,10 +3,8 @@
 # below can be used for docker db created via `make dev-db`
 DATABASE_URL=postgres://user:password@localhost:5432/database
 
-# Application origins
-SERVER_ORIGIN=http://localhost:3000
-WEB_ORIGIN=http://localhost:5173
-MOBILE_ORIGIN=http://localhost:8081
+# CORS allow origins, separated by "," | no space is allowed before/after ","
+CORS_ALLOW_ORIGINS=http://localhost:3000,http://localhost:3001
 
 # Firebase
 FIREBASE_PROJECT_ID=project-id
diff --git a/server/src/index.ts b/server/src/index.ts
@@ -3,6 +3,7 @@ import express from "express";
 import csrf from "./lib/cross-origin/block-unknown-origin";
 import cors from "./lib/cross-origin/multi-origin-cors";
 import { initializeSocket } from "./lib/socket/socket";
+import { allUrlMustBeValid, panic } from "./lib/utils";
 import chatRoutes from "./router/chat";
 import coursesRoutes from "./router/courses";
 import matchesRoutes from "./router/matches";
@@ -17,14 +18,15 @@ const app = express();
 app.set("query parser", "simple");
 
 const port = 3000;
-const allowedOrigins = [
-  process.env.SERVER_ORIGIN ?? "http://localhost:3000", // delete this fallback when you think everyone has updated their .env
-  process.env.WEB_ORIGIN,
-  process.env.MOBILE_ORIGIN,
-  process.env.WEB_ORIGIN_BUILD,
-];
+const allowedOrigins = (
+  process.env.CORS_ALLOW_ORIGINS || panic("env CORS_ALLOW_ORIGINS is missing")
+)
+  .split(",")
+  .filter((s) => s); // ignore empty string (trailing comma?)
+allUrlMustBeValid(allowedOrigins);
+
 export const corsOptions = {
-  origins: allowedOrigins.filter((s) => s != null).filter((s) => s), // ignore empty string too
+  origins: allowedOrigins,
   methods: ["GET", "HEAD", "POST", "PUT", "DELETE"],
   credentials: true,
 };
diff --git a/server/src/lib/utils.ts b/server/src/lib/utils.ts
@@ -0,0 +1,14 @@
+export function panic(reason: string): never {
+  throw new Error(`function panic() called for reason: "${reason}"`);
+}
+
+export function allUrlMustBeValid(urls: string[]) {
+  for (const url of urls) {
+    try {
+      new URL(url);
+    } catch (err) {
+      console.error(err);
+      throw err;
+    }
+  }
+}
