fix: attempt to fix cors
This commit is contained in:
parent
7b5411ab64
commit
97b1bb6c9c
|
|
@ -1,5 +1,5 @@
|
||||||
import { Elysia } from "elysia";
|
import { Elysia } from "elysia";
|
||||||
import { cors } from "@elysiajs/cors";
|
|
||||||
import { ingest } from "./routes/pings";
|
import { ingest } from "./routes/pings";
|
||||||
import { monitors } from "./routes/monitors";
|
import { monitors } from "./routes/monitors";
|
||||||
import { account } from "./routes/auth";
|
import { account } from "./routes/auth";
|
||||||
|
|
@ -7,14 +7,6 @@ import { internal } from "./routes/internal";
|
||||||
import { migrate } from "./db";
|
import { migrate } from "./db";
|
||||||
await migrate();
|
await migrate();
|
||||||
|
|
||||||
const CORS_ORIGIN = process.env.CORS_ORIGINS?.split(",") ?? ["https://pingql.com"];
|
|
||||||
|
|
||||||
const CORS_HEADERS = {
|
|
||||||
"access-control-allow-credentials": "true",
|
|
||||||
"access-control-allow-methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
|
|
||||||
"access-control-allow-headers": "Content-Type, Authorization",
|
|
||||||
};
|
|
||||||
|
|
||||||
const SECURITY_HEADERS = {
|
const SECURITY_HEADERS = {
|
||||||
"X-Content-Type-Options": "nosniff",
|
"X-Content-Type-Options": "nosniff",
|
||||||
"X-Frame-Options": "DENY",
|
"X-Frame-Options": "DENY",
|
||||||
|
|
@ -24,25 +16,22 @@ const SECURITY_HEADERS = {
|
||||||
};
|
};
|
||||||
|
|
||||||
const app = new Elysia()
|
const app = new Elysia()
|
||||||
// Security headers on all responses
|
.onAfterHandle(({ set, request }) => {
|
||||||
.onAfterHandle(({ set }) => {
|
|
||||||
Object.assign(set.headers, SECURITY_HEADERS);
|
Object.assign(set.headers, SECURITY_HEADERS);
|
||||||
|
const origin = request.headers.get("origin") || "*";
|
||||||
|
set.headers["access-control-allow-origin"] = origin;
|
||||||
|
set.headers["access-control-allow-credentials"] = "true";
|
||||||
|
set.headers["access-control-allow-methods"] = "GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS";
|
||||||
|
set.headers["access-control-allow-headers"] = "Content-Type, Authorization";
|
||||||
})
|
})
|
||||||
.use(cors({
|
.options("/*", ({ set, request }) => {
|
||||||
origin: CORS_ORIGIN,
|
const origin = request.headers.get("origin") || "*";
|
||||||
credentials: true,
|
set.headers["access-control-allow-origin"] = origin;
|
||||||
allowedHeaders: ["Content-Type", "Authorization"],
|
set.headers["access-control-allow-credentials"] = "true";
|
||||||
methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
|
set.headers["access-control-allow-methods"] = "GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS";
|
||||||
preflight: true,
|
set.headers["access-control-allow-headers"] = "Content-Type, Authorization";
|
||||||
}))
|
set.status = 204;
|
||||||
// Explicit OPTIONS handler for cross-origin preflight
|
return null;
|
||||||
.options("/*", ({ request }) => {
|
|
||||||
const origin = request.headers.get("origin") ?? "";
|
|
||||||
const allowed = CORS_ORIGIN.includes(origin) ? origin : CORS_ORIGIN[0];
|
|
||||||
return new Response(null, {
|
|
||||||
status: 204,
|
|
||||||
headers: { ...CORS_HEADERS, "access-control-allow-origin": allowed },
|
|
||||||
});
|
|
||||||
})
|
})
|
||||||
.get("/", () => ({
|
.get("/", () => ({
|
||||||
name: "PingQL API",
|
name: "PingQL API",
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue