feat: enhance CORS middleware to improve origin matching and logging

soranjiro · soranjiro · commit 669a16e1d013 · 2025-11-18T16:56:42.000+09:00
diff --git a/apps/api/src/middleware/cors.ts b/apps/api/src/middleware/cors.ts
@@ -1,22 +1,51 @@
 import { Context } from 'hono';
 import { Env } from '../utils';
 
+function matchOrigin(origin: string, allowed: string[]): boolean {
+  for (const rule of allowed) {
+    if (rule === '*') return true;
+    if (rule.includes('*')) {
+      const pattern = '^' + rule
+        .replace(/[.+?^${}()|[\]\\]/g, '\\$&')
+        .replace(/\\\*/g, '.*') + '$';
+      const re = new RegExp(pattern);
+      if (re.test(origin)) return true;
+    } else if (rule === origin) {
+      return true;
+    }
+  }
+  return false;
+}
+
 export async function corsMiddleware(c: Context<{ Bindings: Env }>, next: () => Promise<void>) {
-  const origin = c.req.header('Origin');
+  const origin = c.req.header('Origin') || '';
   const allowedOriginsEnv = c.env.ALLOWED_ORIGINS || '*';
 
-  // 許可されたオリジンのリストを取得
   const allowedOrigins = allowedOriginsEnv === '*'
     ? ['*']
-    : allowedOriginsEnv.split(',').map((o: string) => o.trim());
+    : allowedOriginsEnv.split(',').map((o: string) => o.trim()).filter(Boolean);
 
-  // オリジンが許可されているかチェック
   let allowedOrigin = '*';
   if (origin && allowedOrigins[0] !== '*') {
-    if (allowedOrigins.includes(origin)) {
+    if (matchOrigin(origin, allowedOrigins)) {
       allowedOrigin = origin;
     } else {
-      // オリジンが許可されていない場合はCORSヘッダーを返さない
+      // Not allowed origin: log details for troubleshooting
+      try {
+        const url = new URL(c.req.url);
+        console.warn('[CORS] Blocked request', {
+          method: c.req.method,
+          path: url.pathname,
+          origin,
+          allowedOrigins,
+        });
+      } catch (_) {
+        console.warn('[CORS] Blocked request', {
+          method: c.req.method,
+          origin,
+          allowedOrigins,
+        });
+      }
       if (c.req.method === 'OPTIONS') {
         return c.text('Forbidden', 403);
       }
@@ -25,9 +54,12 @@ export async function corsMiddleware(c: Context<{ Bindings: Env }>, next: () =>
     }
   }
 
+  const reqAllowedHeaders = c.req.header('Access-Control-Request-Headers');
+
   c.header('Access-Control-Allow-Origin', allowedOrigin);
+  c.header('Vary', 'Origin, Access-Control-Request-Headers');
   c.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
-  c.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+  c.header('Access-Control-Allow-Headers', reqAllowedHeaders || 'Content-Type, Authorization');
   c.header('Access-Control-Max-Age', '86400');
 
   if (c.req.method === 'OPTIONS') {
