From 3451fcd7b9d95e9091d62c515752f39f2faa6e54 Mon Sep 17 00:00:00 2001
From: Hugues Chocart <chocart.hugues@icloud.com>
Date: Wed, 28 Aug 2024 17:39:01 +0100
Subject: [PATCH] fix: cors too permisive (#515)

---
 packages/backend/src/utils/cors.ts | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/utils/cors.ts b/packages/backend/src/utils/cors.ts
index 0ec1b375..bc4392ac 100644
--- a/packages/backend/src/utils/cors.ts
+++ b/packages/backend/src/utils/cors.ts
@@ -3,8 +3,13 @@ import { Context, Next } from "koa"
 import { createMiddleware } from "./middleware"
 
 async function patchedCors(ctx: Context, next: Next) {
+  const origin =
+    process.env.NODE_ENV !== "production"
+      ? ctx.get("Origin") || "*"
+      : process.env.APP_URL!
+
   if (ctx.method === "options") {
-    ctx.set("Access-Control-Allow-Origin", ctx.get("Origin") || "*")
+    ctx.set("Access-Control-Allow-Origin", origin)
     ctx.set("Access-Control-Allow-Methods", "GET, POST, PATCH, OPTIONS, DELETE")
     ctx.set("Access-Control-Allow-Credentials", "true")
     ctx.set(
@@ -14,10 +19,9 @@ async function patchedCors(ctx: Context, next: Next) {
     ctx.status = 204
     return
   }
+
   await cors({
-    origin(ctx) {
-      return ctx.get("Origin") || "*"
-    },
+    origin,
     credentials: true,
     allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
     allowHeaders: ["Content-Type", "Authorization", "Accept"],