diff --git a/packages/api/src/config/api.config.ts b/packages/api/src/config/api.config.ts index fd0e65e..29d3f38 100644 --- a/packages/api/src/config/api.config.ts +++ b/packages/api/src/config/api.config.ts @@ -27,7 +27,7 @@ export const apiEnv = envSchema.parse({ * In development, falls back to localhost. */ export function getCorsOrigins(): string | string[] { - const origins = (apiEnv.ALLOWED_ORIGINS || '').split(',').filter(Boolean); + const origins = (apiEnv.ALLOWED_ORIGINS || '').split(',').map(s => s.trim()).filter(Boolean); if (apiEnv.NODE_ENV === 'production') { if (origins.length === 0) { @@ -42,15 +42,17 @@ export function getCorsOrigins(): string | string[] { 'CORS origin validation (FRE-4749): wildcard (*) ALLOWED_ORIGIN in production.' ); } + let isValidProtocol = true; try { const url = new URL(origin); if (url.protocol !== 'https:' && url.protocol !== 'http:') { + isValidProtocol = false; throw new Error( `CORS origin validation (FRE-4749): invalid protocol "${url.protocol}" in "${origin}". Expected http: or https:` ); } } catch (err) { - if (err instanceof Error && err.message.startsWith('CORS origin')) throw err; + if (err instanceof Error && !isValidProtocol) throw err; throw new Error( `CORS origin validation (FRE-4749): malformed origin "${origin}": ${err instanceof Error ? err.message : String(err)}` ); diff --git a/packages/api/src/index.ts b/packages/api/src/index.ts index a3350a3..5048aef 100644 --- a/packages/api/src/index.ts +++ b/packages/api/src/index.ts @@ -8,7 +8,7 @@ import { errorHandlingMiddleware } from './middleware/error-handling.middleware' import { loggingMiddleware } from './middleware/logging.middleware'; import { apiEnv, loggingConfig, getCorsOrigins } from './config/api.config'; import { routes } from './routes'; -import { initDatadog, initSentry, setSentryUser } from '@shieldai/monitoring'; +import { initDatadog, initSentry } from '@shieldai/monitoring'; const fastify = Fastify({ logger: loggingConfig,