feat: support for narrowing cors (#12)

* feat: support for narrowing cors

* chore: isolate test

* chore: test are not isolated

Author: peterpeterparker

.env.development.example

@@ -3,4 +3,5 @@ GITHUB_CLIENT_SECRET=your_github_oauth_client_secret
 GITHUB_AUTH_ISSUER=https://your_unique_authentication_issuer
 JWT_PRIVATE_KEY_PATH=./private-key.pem
 JWT_PUBLIC_KEY_PATH=./public-key.pem
-JWT_KEY_ID=your-api-key-1
+JWT_KEY_ID=your-api-key-1
+CORS_ORIGIN=

.env.production.example

@@ -2,4 +2,5 @@ GITHUB_CLIENT_ID=your_github_oauth_client_id
 GITHUB_CLIENT_SECRET=your_github_oauth_client_secret
 GITHUB_AUTH_ISSUER=https://your_unique_authentication_issuer
 COOKIE_DOMAIN=.yourdomain.com
-COOKIE_SAME_SITE=lax
+COOKIE_SAME_SITE=lax
+CORS_ORIGIN=

README.md

@@ -35,9 +35,10 @@ GITHUB_AUTH_ISSUER=https://your-domain.com/auth/github
 > [!NOTE]
 > The issuer must be unique for the service. The authentication modules use it to distinguish the providers.
 
-3. (Optional) Configure cookie settings for cross-subdomain support in `.env.production`:
+3. (Optional) Configure CORS and cookie settings in `.env.production`:
 
 ```bash
+CORS_ORIGIN=https://yourapp.yourdomain.com
 COOKIE_DOMAIN=.yourdomain.com
 COOKIE_SAME_SITE=lax
 ```

bunfig.toml

@@ -1,2 +1,2 @@
 [test]
-preload = ["./test-setup.ts"]
+preload = ["./test-setup.ts"]

src/server.ts

@@ -17,6 +17,8 @@ import { exchangePrice, ExchangePriceSchema } from './handlers/exchange/price';
 
 const { version: appVersion, name: appName, description: appDescription } = packageJson;
 
+const corsOrigin = process.env.CORS_ORIGIN;
+
 export const app = new Elysia()
 	.error({
 		FetchApiError,
@@ -44,7 +46,11 @@ export const app = new Elysia()
 			}
 		})
 	)
-	.use(cors())
+	.use(
+		cors({
+			...(corsOrigin !== undefined && { origin: corsOrigin })
+		})
+	)
 	.decorate('github', new GitHubDecorator())
 	.decorate('jwt', new JwtDecorator())
 	.decorate('exchange', new ExchangeDecorator())