tada/app/server/middleware/cors.ts at main · InfantLab/tada · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
/**
 * CORS Middleware
 *
 * Configures Cross-Origin Resource Sharing for API endpoints
 *
 * Phase 10: Polish & Cross-Cutting Concerns
 */

export default defineEventHandler((event) => {
  const origin = getRequestHeader(event, "origin");

  // Get allowed origins from environment or use defaults
  const allowedOrigins = process.env['CORS_ALLOWED_ORIGINS']
    ? process.env['CORS_ALLOWED_ORIGINS'].split(",")
    : [
        "http://localhost:3000",
        "http://localhost:5173",
        "https://tada.app", // Production domain
        // Capacitor Android shell — the WebView's origin is the hostname
        // configured in capacitor.config.ts (Phase 3.1).
        "https://app.tada.living",
      ];

  // Check if origin is allowed
  if (origin && allowedOrigins.includes(origin)) {
    setResponseHeader(event, "Access-Control-Allow-Origin", origin);
  } else if (allowedOrigins.includes("*")) {
    // Allow all origins if * is in the list (not recommended for production)
    setResponseHeader(event, "Access-Control-Allow-Origin", "*");
  }

  // Set other CORS headers
  setResponseHeader(
    event,
    "Access-Control-Allow-Methods",
    "GET, POST, PATCH, PUT, DELETE, OPTIONS",
  );
  setResponseHeader(
    event,
    "Access-Control-Allow-Headers",
    "Content-Type, Authorization, X-Requested-With",
  );
  setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
  setResponseHeader(event, "Access-Control-Max-Age", 86400); // 24 hours

  // Handle preflight OPTIONS requests
  if (event.method === "OPTIONS") {
    setResponseStatus(event, 204);
    return "";
  }
});