cors

hotlong · hotlong · commit 2bb23b2a4a28 · 2026-04-18T00:16:16.000+08:00
diff --git a/packages/plugins/plugin-hono-server/src/hono-plugin.ts b/packages/plugins/plugin-hono-server/src/hono-plugin.ts
@@ -9,7 +9,7 @@ import { cors } from 'hono/cors';
 import { serveStatic } from '@hono/node-server/serve-static';
 import * as fs from 'fs';
 import * as path from 'path';
-import { createOriginMatcher, hasWildcardPattern } from './pattern-matcher';
+import { createOriginMatcher, hasWildcardPattern, isLocalhostOrigin } from './pattern-matcher';
 
 export interface StaticMount {
     root: string;
@@ -129,7 +129,11 @@ export class HonoServerPlugin implements Plugin {
                 const credentials = corsOpts.credentials ?? (process.env.CORS_CREDENTIALS !== 'false');
                 const maxAge = corsOpts.maxAge ?? (process.env.CORS_MAX_AGE ? parseInt(process.env.CORS_MAX_AGE, 10) : 86400);
 
-                // Determine origin handler based on configuration
+                // Determine origin handler based on configuration.
+                // Always use a function so that localhost origins are
+                // automatically allowed regardless of the configured
+                // pattern list (handled inside matchOriginPattern /
+                // createOriginMatcher).
                 let origin: string | string[] | ((origin: string) => string | undefined | null);
 
                 // When credentials is true, browsers reject wildcard '*' for Access-Control-Allow-Origin.
@@ -143,8 +147,10 @@ export class HonoServerPlugin implements Plugin {
                     // Use pattern matcher to support subdomain and port wildcards
                     origin = createOriginMatcher(configuredOrigin);
                 } else {
-                    // Exact origin(s) - pass through as-is
-                    origin = configuredOrigin;
+                    // Exact origin(s) — wrap in a function so localhost is
+                    // still auto-allowed via the matcher.
+                    const matcher = createOriginMatcher(configuredOrigin);
+                    origin = (requestOrigin: string) => matcher(requestOrigin);
                 }
 
                 const rawApp = this.server.getRawApp();
diff --git a/packages/plugins/plugin-hono-server/src/pattern-matcher.test.ts b/packages/plugins/plugin-hono-server/src/pattern-matcher.test.ts
@@ -119,7 +119,22 @@ describe('createOriginMatcher', () => {
 
             expect(matcher('http://localhost:3000')).toBe('http://localhost:3000');
             expect(matcher('http://localhost:8080')).toBe('http://localhost:8080');
-            expect(matcher('http://127.0.0.1:3000')).toBe(null);
+            // 127.0.0.1 is also considered localhost and always allowed
+            expect(matcher('http://127.0.0.1:3000')).toBe('http://127.0.0.1:3000');
+        });
+
+        it('should always allow localhost origins regardless of configured patterns', () => {
+            // Even with a restrictive pattern, localhost should be allowed
+            const matcher = createOriginMatcher('https://app.example.com');
+
+            expect(matcher('http://localhost:3000')).toBe('http://localhost:3000');
+            expect(matcher('http://localhost:5173')).toBe('http://localhost:5173');
+            expect(matcher('https://localhost:8443')).toBe('https://localhost:8443');
+            expect(matcher('http://localhost')).toBe('http://localhost');
+            expect(matcher('http://127.0.0.1:3000')).toBe('http://127.0.0.1:3000');
+            expect(matcher('http://[::1]:3000')).toBe('http://[::1]:3000');
+            // Non-localhost should still be rejected
+            expect(matcher('https://evil.com')).toBe(null);
         });
     });
 
diff --git a/packages/plugins/plugin-hono-server/src/pattern-matcher.ts b/packages/plugins/plugin-hono-server/src/pattern-matcher.ts
@@ -18,14 +18,35 @@
  * CORS errors on Vercel.
  */
 
+/**
+ * Returns true when the origin points to localhost (any port, http or https).
+ *
+ * Matches:
+ * - `http://localhost`
+ * - `http://localhost:3000`
+ * - `https://localhost:8443`
+ * - `http://127.0.0.1:5173`
+ * - `http://[::1]:3000`
+ */
+export function isLocalhostOrigin(origin: string): boolean {
+    return /^https?:\/\/(localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/.test(origin);
+}
+
 /**
  * Check if an origin matches a pattern with wildcards.
  *
+ * Localhost origins (`http(s)://localhost:<any-port>`, `127.0.0.1`, `[::1]`)
+ * are **always allowed** regardless of the pattern — this removes the need to
+ * enumerate every development port in `CORS_ORIGIN`.
+ *
  * @param origin The origin to check (e.g., `https://app.example.com`)
  * @param pattern The pattern to match against (supports `*` wildcard)
  * @returns true if origin matches the pattern
  */
 export function matchOriginPattern(origin: string, pattern: string): boolean {
+    // Always allow localhost for development convenience
+    if (isLocalhostOrigin(origin)) return true;
+
     if (pattern === '*') return true;
     if (pattern === origin) return true;
 
