Refactor CORS configuration to handle origins dynamically and improve preflight request handling

Pavan0277 · Pavan0277 · commit af31c5720288 · 2025-06-30T14:21:57.000+05:30
diff --git a/BackEnd/src/app.js b/BackEnd/src/app.js
@@ -3,7 +3,7 @@ import userRoutes from "./routes/userRoutes.js";
 import monthlyLimitRoutes from "./routes/MonthlyLimit.route.js"; // Import the new route
 import expenseRouter from "./routes/expense.router.js";
 import inputRouter from "./routes/Input.router.js";
-import imageRouter from "./routes/ImageUpload.routes.js"
+import imageRouter from "./routes/ImageUpload.routes.js";
 import cors from "cors";
 import path from "path";
 import { fileURLToPath } from "url";
@@ -12,10 +12,38 @@ const app = express();
 
 app.use(
     cors({
-        origin: process.env.CORS_ORIGIN || "*",
+        origin: function (origin, callback) {
+            // Allow requests with no origin (like mobile apps or curl requests)
+            if (!origin) return callback(null, true);
+
+            // If CORS_ORIGIN is set, use it; otherwise allow all origins
+            const allowedOrigins = process.env.CORS_ORIGIN
+                ? process.env.CORS_ORIGIN.split(",")
+                : ["*"];
+
+            if (
+                allowedOrigins.includes("*") ||
+                allowedOrigins.indexOf(origin) !== -1
+            ) {
+                callback(null, true);
+            } else {
+                callback(new Error("Not allowed by CORS"));
+            }
+        },
         credentials: true,
-        methods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
-        allowedHeaders: ["Content-Type", "Authorization", "X-Requested-With"]
+        methods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"],
+        allowedHeaders: [
+            "Content-Type",
+            "Authorization",
+            "X-Requested-With",
+            "Accept",
+            "Origin",
+            "Access-Control-Request-Method",
+            "Access-Control-Request-Headers",
+        ],
+        exposedHeaders: ["Content-Length", "X-Foo", "X-Bar"],
+        preflightContinue: false,
+        optionsSuccessStatus: 200,
     })
 );
 
@@ -25,6 +53,22 @@ const __dirname = path.dirname(__filename);
 app.use(express.json({ limit: "16kb" }));
 app.use(express.urlencoded({ extended: true, limit: "16kb" }));
 app.use(express.static("public"));
+
+// Handle preflight requests explicitly
+app.options("*", (req, res) => {
+    res.header("Access-Control-Allow-Origin", req.headers.origin || "*");
+    res.header(
+        "Access-Control-Allow-Methods",
+        "GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD"
+    );
+    res.header(
+        "Access-Control-Allow-Headers",
+        "Content-Type,Authorization,X-Requested-With,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers"
+    );
+    res.header("Access-Control-Allow-Credentials", "true");
+    res.sendStatus(200);
+});
+
 const buildPath = path.join(__dirname, "../../FrontEnd/dist");
 app.use(express.static(buildPath));
 
@@ -33,8 +77,7 @@ app.use("/api/addInput", inputRouter);
 app.use("/api/expense", expenseRouter);
 app.use("/api/auth", userRoutes);
 app.use("/api/monthly", monthlyLimitRoutes);
-app.use("/api/upload",imageRouter)
-
+app.use("/api/upload", imageRouter);
 
 app.get("/", (req, res) => {
     res.send("Hello World");
