feat: add env-based CORS origin support

hussein-m-kandil · web-flow · commit c7e94f376a0b · 2025-05-04T13:17:46.000+03:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -47,6 +47,7 @@
   "dependencies": {
     "@prisma/client": "^6.6.0",
     "bcryptjs": "^3.0.2",
+    "cors": "^2.8.5",
     "express": "^5.1.0",
     "helmet": "^8.1.0",
     "jsonwebtoken": "^9.0.2",
@@ -59,6 +60,7 @@
   "devDependencies": {
     "@eslint/js": "^9.24.0",
     "@stylistic/eslint-plugin": "^4.2.0",
+    "@types/cors": "^2.8.17",
     "@types/eslint__js": "^8.42.3",
     "@types/eslint-plugin-security": "^3.0.0",
     "@types/express": "^5.0.1",
diff --git a/src/app.ts b/src/app.ts
@@ -1,9 +1,12 @@
 import requestLogger from './middlewares/request-logger';
 import errorHandler from './middlewares/error-handler';
+import { ALLOWED_ORIGINS } from './lib/config';
 import AppError from './lib/app-error';
 import apiV1Router from './api/v1';
 import express from 'express';
 import helmet from 'helmet';
+import cors from 'cors';
+import logger from './lib/logger';
 
 const app = express();
 
@@ -13,6 +16,14 @@ app.use(helmet());
 app.use(express.json());
 app.use(requestLogger);
 
+logger.info('ALLOWED_ORIGINS: ', ALLOWED_ORIGINS);
+app.use(
+  cors({
+    origin: ALLOWED_ORIGINS,
+    optionsSuccessStatus: 200, // some legacy browsers (IE11, various SmartTVs) choke on 204
+  })
+);
+
 app.use('/api/v1', apiV1Router);
 
 app.use((req) => {
diff --git a/src/lib/config.ts b/src/lib/config.ts
@@ -1,6 +1,12 @@
 if (!process.env.NODE_ENV) console.warn('Miss Env Var: NODE_ENV');
 if (!process.env.SECRET) console.error('Missing Env Var: SECRET');
 if (!process.env.ADMIN_SECRET) console.error('Missing Env Var: ADMIN_SECRET');
+if (!process.env.ALLOWED_ORIGINS)
+  console.log('Missing Env Var: ALLOWED_ORIGINS');
+
+export const ALLOWED_ORIGINS = process.env.ALLOWED_ORIGINS
+  ? process.env.ALLOWED_ORIGINS.split(',').map((origin) => origin.trim())
+  : [];
 
 export const SALT = (Number(process.env.SALT) || process.env.SALT) ?? 10;
 export const SECRET = process.env.SECRET ?? 'secret';
@@ -9,4 +15,12 @@ export const TOKEN_EXP_PERIOD = process.env.TOKEN_EXP_PERIOD ?? '3d';
 export const NODE_ENV = process.env.NODE_ENV;
 export const CI = Boolean(process.env.CI);
 
-export default { SALT, SECRET, ADMIN_SECRET, TOKEN_EXP_PERIOD, NODE_ENV, CI };
+export default {
+  TOKEN_EXP_PERIOD,
+  ALLOWED_ORIGINS,
+  ADMIN_SECRET,
+  NODE_ENV,
+  SECRET,
+  SALT,
+  CI,
+};
