iulian/streamflow
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove hardcoded domain from CORS, add configurable ALLOWED_ORIGIN env var

Browse source
This commit is contained in:
aiulian25 2025-12-24 23:57:41 +00:00
parent ec05cbb788
commit 55ffea049a
2 changed files with 11 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
backend/server.js
View file

@ -105,17 +105,21 @@ app.use(helmet({
hidePoweredBy: true
}));
// CORS configuration to allow local network and HTTPS domain
// CORS configuration to allow local network and custom domain
const allowedOrigins = [
'http://localhost:12345',
'http://localhost:9000',
'https://tv.iulian.uk',
'http://tv.iulian.uk',
/^http:\/\/192\.168\.\d{1,3}\.\d{1,3}(:\d+)?$/, // Local network 192.168.x.x
/^http:\/\/10\.\d{1,3}\.\d{1,3}\.\d{1,3}(:\d+)?$/, // Local network 10.x.x.x
/^http:\/\/172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}(:\d+)?$/ // Local network 172.16-31.x.x
];
// Add custom domain origins from environment variable
if (process.env.ALLOWED_ORIGIN) {
const customOrigins = process.env.ALLOWED_ORIGIN.split(',').map(o => o.trim());
allowedOrigins.push(...customOrigins);
}
// Mount logo-proxy BEFORE global CORS to handle public image serving
app.use('/api/logo-proxy', require('./routes/logo-proxy'));