diff --git a/app/main.ts b/app/main.ts index 9221323..e3b4c2c 100644 --- a/app/main.ts +++ b/app/main.ts @@ -81,24 +81,38 @@ const main = async () => { app.use(express.json()); const allowedOrigins = [ - "http://localhost:5173", // lstV2 dev - "http://localhost:5500", // lst dev - "http://localhost:4200", // express - "http://localhost:4000", // prod port + /^https?:\/\/localhost:(5173|5500|4200|3000|4000)$/, // all the allowed backend ports + /^https?:\/\/.*\.alpla\.net$/, env.BETTER_AUTH_URL, // prod ]; app.use( cors({ origin: (origin, callback) => { - // allow requests with no origin (like curl, service workers, PWAs) - if (!origin) return callback(null, true); + //console.log("CORS request from origin:", origin); - if (allowedOrigins.includes(origin)) { - return callback(null, true); - } else { - return callback(new Error("Not allowed by CORS")); + if (!origin) return callback(null, true); // allow same-site or direct calls + + try { + const hostname = new URL(origin).hostname; // strips protocol/port + //console.log("Parsed hostname:", hostname); + + if (allowedOrigins.includes(origin)) { + return callback(null, true); + } + + // Now this works for *.alpla.net + if ( + hostname.endsWith(".alpla.net") || + hostname === "alpla.net" + ) { + return callback(null, true); + } + } catch (err) { + //console.error("Invalid Origin header:", origin); } + + return callback(new Error("Not allowed by CORS: " + origin)); }, methods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"], credentials: true,