further CORS tweaks

2025-04-01 00:34:04 +02:00 · 2025-04-01 00:34:04 +02:00 · 78c22ab7c2
commit 78c22ab7c2
parent 96cf5968eb
4 changed files with 52 additions and 37 deletions
--- a/backend/.env
+++ b/backend/.env
@ -23,7 +23,7 @@ SMTP_USER=mailer@imk.mk
 SMTP_PASS=76Avtostoperski76
 SMTP_FROM=mailer@imk.mk
 # FRONTEND_URL=https://imk.mk
-EMAIL_FROM=mailer@yandex.com
+EMAIL_FROM=mailer@imk.mk

 ADMIN_EMAIL=taratur@gmail.com

--- a/backend/src/app.module.ts
+++ b/backend/src/app.module.ts
@ -2,7 +2,6 @@ import { MiddlewareConsumer, Module, NestModule } from "@nestjs/common";
 import { AppController } from "./app.controller";
 import { AppService } from "./app.service";
 import { AuthModule } from "./auth/auth.module";
-//import { TypeOrmModule } from '@nestjs/typeorm';
 import { AdminModule } from "./admin/admin.module";
 import { ClientModule } from "./client/client.module";
 import { UploadService } from "./upload/upload.service";
@ -12,12 +11,14 @@ import { S3Module } from "./s3/s3.module";
 import { PrismaService } from "./prisma/prisma.service";
 import { PrismaModule } from "./prisma/prisma.module";
 import { ConfigModule } from "@nestjs/config";
+import { ConfigService } from "@nestjs/config";
 import { AuthController } from "./auth/auth.controller";
 import { DocumentsController } from "./documents/documents.controller";
 import { JwtModule } from "@nestjs/jwt";
 import { EmailModule } from "./email/email.module";
 import { InitModule } from "./init/init.module";
 import { HealthController } from "./health/health.controller";
+import { corsConfig } from "./config/cors.config";

@Module({
  imports: [
@ -51,19 +52,40 @@ import { HealthController } from "./health/health.controller";
  ],
 })
 export class AppModule implements NestModule {
+  constructor(private readonly configService: ConfigService) {}
  configure(consumer: MiddlewareConsumer) {
+    const allowedOrigins = [
+      "http://localhost:5173",
+      "https://www.placebo.mk",
+      "https://placebo.mk",
+      "https://imkapi.oblak.solutions",
+    ];
+
    consumer
      .apply((req, res, next) => {
-        res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
+        const origin = req.headers.origin;
+        if (req.method === "OPTIONS") {
+          if (origin && corsConfig.origin.includes(origin)) {
+            res.header("Access-Control-Allow-Origin", origin);
+          }
          res.header("Access-Control-Allow-Credentials", "true");
          res.header(
-          "Access-Control-Allow-Headers",
-          "Origin, X-Requested-With, Content-Type, Accept",
+            "Access-Control-Allow-Methods",
+            corsConfig.methods.join(", "),
          );
          res.header(
-          "Access-Control-Allow-Methods",
-          "GET, POST, PUT, DELETE, OPTIONS",
+            "Access-Control-Allow-Headers",
+            corsConfig.allowedHeaders.join(", "),
          );
+          res.header("Access-Control-Max-Age", "86400");
+          res.status(204).end();
+          return;
+        }
+
+        if (origin && corsConfig.origin.includes(origin)) {
+          res.header("Access-Control-Allow-Origin", origin);
+        }
+        res.header("Access-Control-Allow-Credentials", "true");
        next();
      })
      .forRoutes("*");
--- a/backend/src/config/cors.config.ts
+++ b/backend/src/config/cors.config.ts
@ -0,0 +1,17 @@
+export const corsConfig = {
+  origin: [
+    "http://localhost:5173",
+    "https://www.placebo.mk",
+    "https://placebo.mk",
+    "https://imkapi.oblak.solutions",
+  ],
+  methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"],
+  credentials: true,
+  allowedHeaders: [
+    "Origin",
+    "X-Requested-With",
+    "Content-Type",
+    "Accept",
+    "Authorization",
+  ],
+};
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@ -3,6 +3,7 @@ import { NestFactory } from "@nestjs/core";
 import { AppModule } from "./app.module";
 // import { CorsOptions } from '@nestjs/common/interfaces/external/cors-options.interface';
 import helmet from "helmet";
+import { corsConfig } from "./config/cors.config";

 async function bootstrap() {
  const logger = new Logger("Bootstrap");
@ -15,32 +16,7 @@ async function bootstrap() {
    });

    // Enable CORS
-    app.enableCors({
-      origin: [
-        "https://www.placebo.mk",
-        "https://placebo.mk",
-        "http://localhost:5173",
-        "https://imkapi.oblak.solutions",
-      ],
-      methods: "GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS",
-      credentials: true,
-      allowedHeaders: [
-        "Origin",
-        "X-Requested-With",
-        "Content-Type",
-        "Accept",
-        "Authorization",
-        "Access-Control-Allow-Headers",
-        "Access-Control-Allow-Origin",
-        "Access-Control-Allow-Credentials",
-      ],
-      exposedHeaders: [
-        "Access-Control-Allow-Origin",
-        "Access-Control-Allow-Credentials",
-      ],
-      preflightContinue: false,
-      optionsSuccessStatus: 204,
-    });
+    app.enableCors(corsConfig);

    // Global pipes
    app.useGlobalPipes(