fix(api): allow multiple cors origins

2025-10-10 15:42:52 +02:00
parent 7d4a4c1944
commit 436e81ecc9
1 changed files with 12 additions and 1 deletions
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -93,8 +93,19 @@ const startServer = async () => {
        );

        if (isPrivatePath) {
+          // Allow multiple dashboard domains
+          const allowedOrigins = [
+            process.env.NEXT_PUBLIC_DASHBOARD_URL,
+            ...(process.env.API_CORS_ORIGINS?.split(',') ?? []),
+          ].filter(Boolean);
+
+          const origin = req.headers.origin;
+          const isAllowed = origin && allowedOrigins.includes(origin);
+
+          logger.info('Allowed origins', { allowedOrigins, origin, isAllowed });
+
          return callback(null, {
-            origin: process.env.NEXT_PUBLIC_DASHBOARD_URL,
+            origin: isAllowed ? origin : false,
            credentials: true,
          });
        }