midsuit
/
portal-payment-be
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: update CORS middleware to include OPTIONS method for public API endpoints
Deploy Application / deploy (push) Successful in 35s Details

This commit is contained in:
faisolavolut 2025-11-11 11:07:57 +07:00
parent 6fa2360d64
commit 4e0f729ec8
1 changed files with 2 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/app.ts
View File

@ -25,12 +25,6 @@ const CORS_CACHE_TTL_MS =
Number(process.env.CORS_CACHE_TTL_MS) || 5 * 60 * 1000; Number(process.env.CORS_CACHE_TTL_MS) || 5 * 60 * 1000;
app.use((req, res, next) => { app.use((req, res, next) => {
const publicCorsOptions = {
origin: "*",
methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"],
credentials: false, // must be false when origin is "*"
};
return (cors(publicCorsOptions) as any)(req, res, next);
// Check if this is a public API endpoint that should allow any origin // Check if this is a public API endpoint that should allow any origin
const isPublicAPIEndpoint = const isPublicAPIEndpoint =
req.path.match(/^\/[^\/]+\/transfer-va\/(inquiry|payment)$/) || req.path.match(/^\/[^\/]+\/transfer-va\/(inquiry|payment)$/) ||
@ -40,7 +34,7 @@ app.use((req, res, next) => {
// Allow any origin for public API endpoints // Allow any origin for public API endpoints
const publicCorsOptions = { const publicCorsOptions = {
origin: "*", origin: "*",
methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"], methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE", "OPTIONS"],
credentials: false, // must be false when origin is "*" credentials: false, // must be false when origin is "*"
}; };
return (cors(publicCorsOptions) as any)(req, res, next); return (cors(publicCorsOptions) as any)(req, res, next);
@ -81,7 +75,7 @@ app.use((req, res, next) => {
} }
})(); })();
}, },
methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"], methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE", "OPTIONS"],
// Do not set a fixed `allowedHeaders` list so the CORS middleware will // Do not set a fixed `allowedHeaders` list so the CORS middleware will
// reflect the browser's requested headers (Access-Control-Request-Headers). // reflect the browser's requested headers (Access-Control-Request-Headers).
// This effectively allows the browser to send any header. Keep credentials // This effectively allows the browser to send any header. Keep credentials