fix: update CORS middleware to set public options and improve origin handling

2025-11-11 11:05:44 +07:00 · 2025-11-11 11:05:44 +07:00 · 6fa2360d64
parent ccccb9d63b
commit 6fa2360d64
1 changed files with 6 additions and 9 deletions
--- a/src/app.ts
+++ b/src/app.ts
@ -25,6 +25,12 @@ const CORS_CACHE_TTL_MS =
  Number(process.env.CORS_CACHE_TTL_MS) || 5 * 60 * 1000;

 app.use((req, res, next) => {
+  const publicCorsOptions = {
+    origin: "*",
+    methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"],
+    credentials: false, // must be false when origin is "*"
+  };
+  return (cors(publicCorsOptions) as any)(req, res, next);
  // Check if this is a public API endpoint that should allow any origin
  const isPublicAPIEndpoint =
    req.path.match(/^\/[^\/]+\/transfer-va\/(inquiry|payment)$/) ||
@ -48,19 +54,10 @@ app.use((req, res, next) => {
    ) => {
      // allow non-browser requests with no origin (curl/server-to-server)
      if (!origin) return callback(null, true);
-
-      // Normalize client key from headers (case-insensitive). Note: during
-      // browser preflight (OPTIONS) the browser will NOT send the actual
-      // custom header values; it only sends Access-Control-Request-Headers
-      // listing the header names. That means we cannot rely on header values
-      // being present on OPTIONS. To improve reliability we also accept a
-      // clientKey via query parameter and fall back to matching the origin
-      // against the `whitelistcors` table below.
      const cacheKey = "__default__";

      (async () => {
        try {
-          const cached = corsCache.get(cacheKey);
          let allowedOrigins: string[] = [];
          allowedOrigins = (process.env.DEFAULT_CORS_ORIGINS || "")
            .split(",")