Input-Text geht, CORS behoben

backend/src/app.ts

@@ -30,32 +30,37 @@ const limiter = rateLimit({
 });
 app.use(limiter);
 
-// CORS configuration - Allow both development and production origins
-const allowedOrigins = [
-  'http://localhost:5173', // Vite dev server
-  'http://localhost:3000', // Docker frontend
-  config.cors.origin       // Environment configured origin
-].filter(Boolean);
+// CORS configuration - support comma separated origins in CORS_ORIGIN
+// NOTE: In docker-compose we temporarily set CORS_ORIGIN="*" for troubleshooting.
+//       Narrow this down for production: e.g. CORS_ORIGIN="http://esprimo:3000,http://localhost:3000".
+let allowedOrigins: string[] = [];
+if (config.cors.origin === '*') {
+  allowedOrigins = ['*'];
+} else if (config.cors.origin.includes(',')) {
+  allowedOrigins = config.cors.origin.split(',').map(o => o.trim()).filter(Boolean);
+} else {
+  allowedOrigins = [config.cors.origin];
+}
 
-// Add local network origins if CORS_ORIGIN is "*" (for local network access)
-const corsConfig = config.cors.origin === '*' 
-  ? {
-      origin: true, // Allow all origins for local network
-      credentials: true,
-    }
-  : {
-      origin: allowedOrigins,
-      credentials: true,
-    };
+// Always add defaults if not already present
+['http://localhost:5173','http://localhost:3000'].forEach(def => {
+  if (!allowedOrigins.includes(def) && !allowedOrigins.includes('*')) allowedOrigins.push(def);
+});
 
-app.use(cors(corsConfig));
+app.use(cors({
+  origin: (origin, callback) => {
+    if (!origin) return callback(null, true); // non-browser (curl, server-side)
+    if (allowedOrigins.includes('*') || allowedOrigins.includes(origin)) return callback(null, true);
+    return callback(new Error(`CORS blocked for origin ${origin}`));
+  },
+  credentials: true,
+}));
 
 // Additional CORS headers for all requests
 app.use((req, res, next) => {
   const origin = req.headers.origin;
   
-  if (config.cors.origin === '*') {
-    // Allow all origins for local network access
+  if (allowedOrigins.includes('*')) {
     res.header('Access-Control-Allow-Origin', origin || '*');
   } else if (origin && allowedOrigins.includes(origin)) {
     res.header('Access-Control-Allow-Origin', origin);
@@ -107,8 +112,12 @@ app.get('/serve/*', (req, res, next) => {
   }
   
   // Set headers for images
+  const requestOrigin = req.headers.origin as string | undefined;
+  const chosenOrigin = allowedOrigins.includes('*')
+    ? (requestOrigin || '*')
+    : (requestOrigin && allowedOrigins.includes(requestOrigin) ? requestOrigin : allowedOrigins[0] || 'http://localhost:3000');
   res.set({
-    'Access-Control-Allow-Origin': 'http://localhost:5173',
+    'Access-Control-Allow-Origin': chosenOrigin,
     'Access-Control-Allow-Credentials': 'true',
     'Cache-Control': 'public, max-age=31536000',
   });