Fix CORS origin trimming, unused import, and fragile error handling (FRE-4749)

- P2: Add .map(s => s.trim()) to trim whitespace from comma-separated ALLOWED_ORIGINS - P3: Remove unused setSentryUser import from @shieldai/monitoring - P3: Replace fragile string prefix matching with boolean isValidProtocol sentinel Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-10 02:57:45 -04:00
parent 4ddd24fd72
commit fb82dc68d7
2 changed files with 5 additions and 3 deletions
--- a/packages/api/src/config/api.config.ts
+++ b/packages/api/src/config/api.config.ts
@@ -27,7 +27,7 @@ export const apiEnv = envSchema.parse({
 * In development, falls back to localhost.
 */
 export function getCorsOrigins(): string | string[] {
-  const origins = (apiEnv.ALLOWED_ORIGINS || '').split(',').filter(Boolean);
+  const origins = (apiEnv.ALLOWED_ORIGINS || '').split(',').map(s => s.trim()).filter(Boolean);

  if (apiEnv.NODE_ENV === 'production') {
    if (origins.length === 0) {
@@ -42,15 +42,17 @@ export function getCorsOrigins(): string | string[] {
          'CORS origin validation (FRE-4749): wildcard (*) ALLOWED_ORIGIN in production.'
        );
      }
+      let isValidProtocol = true;
      try {
        const url = new URL(origin);
        if (url.protocol !== 'https:' && url.protocol !== 'http:') {
+          isValidProtocol = false;
          throw new Error(
            `CORS origin validation (FRE-4749): invalid protocol "${url.protocol}" in "${origin}". Expected http: or https:`
          );
        }
      } catch (err) {
-        if (err instanceof Error && err.message.startsWith('CORS origin')) throw err;
+        if (err instanceof Error && !isValidProtocol) throw err;
        throw new Error(
          `CORS origin validation (FRE-4749): malformed origin "${origin}": ${err instanceof Error ? err.message : String(err)}`
        );
--- a/packages/api/src/index.ts
+++ b/packages/api/src/index.ts
@@ -8,7 +8,7 @@ import { errorHandlingMiddleware } from './middleware/error-handling.middleware'
 import { loggingMiddleware } from './middleware/logging.middleware';
 import { apiEnv, loggingConfig, getCorsOrigins } from './config/api.config';
 import { routes } from './routes';
-import { initDatadog, initSentry, setSentryUser } from '@shieldai/monitoring';
+import { initDatadog, initSentry } from '@shieldai/monitoring';

 const fastify = Fastify({
  logger: loggingConfig,