From b1318f5a4160ff3f5bb110e08916bf75a56463c2 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Wed, 24 Sep 2025 10:47:10 +0200
Subject: [PATCH] =?UTF-8?q?Implementiere=20CORS=20mit=20Whitelist=20und=20?=
 =?UTF-8?q?tolerantem=20Fallback=20f=C3=BCr=20fehlende=20Origin-Header=20i?=
 =?UTF-8?q?n=20server.js,=20um=20die=20Sicherheit=20und=20Flexibilit=C3=A4?=
 =?UTF-8?q?t=20der=20API=20zu=20erh=C3=B6hen.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server.js | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 55f105a..e7661fe 100644
--- a/server.js
+++ b/server.js
@@ -21,7 +21,25 @@ const filesRouter = require('./routes/files');
 const app = express();
 const PORT = 3002;
 
-app.use(cors());
+// CORS mit Whitelist und tolerantem Fallback für fehlende Origin-Header
+const allowedOrigins = (process.env.ALLOWED_ORIGINS || '')
+  .split(',')
+  .map(s => s.trim())
+  .filter(Boolean);
+
+app.use(cors({
+  origin: (origin, callback) => {
+    if (!origin) return callback(null, true); // z.B. Healthchecks/curl/Server-zu-Server
+    if (allowedOrigins.length === 0) return callback(null, true); // Fallback: alles erlauben
+    if (allowedOrigins.includes(origin)) return callback(null, true);
+    return callback(new Error('Not allowed by CORS'), false);
+  },
+  credentials: true,
+  methods: ['GET','POST','PUT','PATCH','DELETE','OPTIONS'],
+  allowedHeaders: ['Content-Type','Authorization']
+}));
+app.options('*', cors());
+
 app.use(bodyParser.json());
 
 app.use('/api/auth', authRouter);