admin/Rezepte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bilder von Hand sortieren

Browse Source
This commit is contained in:
Reinhard X. Fürst
2025-09-25 19:09:58 +00:00
parent da9d08c149
commit 0bfb8b2074
16 changed files with 462 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
backend/dist/app.js vendored
View File

@@ -27,28 +27,49 @@ const limiter = (0, express_rate_limit_1.default)({
message: 'Too many requests from this IP, please try again later.',
});
app.use(limiter);
const allowedOrigins = [
'http://localhost:5173',
'http://localhost:3000',
config_1.config.cors.origin
].filter(Boolean);
const corsConfig = config_1.config.cors.origin === '*'
? {
origin: true,
credentials: true,
}
: {
origin: allowedOrigins,
credentials: true,
};
app.use((0, cors_1.default)(corsConfig));
const insecureOverride = process.env.ALLOW_INSECURE_CORS === '1';
const isProd = process.env.NODE_ENV === 'production';
let allowedOrigins = [];
if (config_1.config.cors.origin.includes(',')) {
allowedOrigins = config_1.config.cors.origin.split(',').map(o => o.trim()).filter(Boolean);
}
else if (config_1.config.cors.origin === '*' && (!isProd || insecureOverride)) {
allowedOrigins = ['*'];
}
else {
allowedOrigins = [config_1.config.cors.origin];
}
allowedOrigins = Array.from(new Set(allowedOrigins.map(o => o.replace(/\/$/, ''))));
if (!isProd && !allowedOrigins.includes('*')) {
['http://localhost:5173', 'http://localhost:3000'].forEach(def => {
if (!allowedOrigins.includes(def))
allowedOrigins.push(def);
});
}
if (isProd && allowedOrigins.includes('*') && !insecureOverride) {
console.warn('[CORS] Wildcard removed in production. Set CORS_ORIGIN explicitly or ALLOW_INSECURE_CORS=1 (NOT RECOMMENDED).');
allowedOrigins = allowedOrigins.filter(o => o !== '*');
}
app.use((0, cors_1.default)({
origin: (origin, callback) => {
if (!origin)
return callback(null, true);
if (allowedOrigins.includes('*') || allowedOrigins.includes(origin.replace(/\/$/, ''))) {
return callback(null, true);
}
console.warn(`[CORS] Blocked origin: ${origin}`);
return callback(new Error('CORS not allowed for this origin'));
},
credentials: true,
}));
app.use((req, res, next) => {
const origin = req.headers.origin;
if (config_1.config.cors.origin === '*') {
const normalized = origin?.replace(/\/$/, '');
if (allowedOrigins.includes('*')) {
res.header('Access-Control-Allow-Origin', origin || '*');
}
else if (origin && allowedOrigins.includes(origin)) {
res.header('Access-Control-Allow-Origin', origin);
else if (normalized && allowedOrigins.includes(normalized)) {
res.header('Access-Control-Allow-Origin', normalized);
}
res.header('Access-Control-Allow-Credentials', 'true');
res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
@@ -80,8 +101,12 @@ app.get('/serve/*', (req, res, next) => {
resolvedPath: fullPath
});
}
const requestOrigin = req.headers.origin;
const chosenOrigin = allowedOrigins.includes('*')
? (requestOrigin || '*')
: (requestOrigin && allowedOrigins.includes(requestOrigin) ? requestOrigin : allowedOrigins[0] || 'http://localhost:3000');
res.set({
'Access-Control-Allow-Origin': 'http://localhost:5173',
'Access-Control-Allow-Origin': chosenOrigin,
'Access-Control-Allow-Credentials': 'true',
'Cache-Control': 'public, max-age=31536000',
});