From 8166b341cea5731e70d25a6e2c430742c3e50e36 Mon Sep 17 00:00:00 2001
From: richardtekula <barspin4499@gmail.com>
Date: Fri, 30 Jan 2026 10:37:34 +0100
Subject: [PATCH] fix: Allow no-origin requests for file downloads

CORS was blocking direct browser navigation/downloads in production.
Auth is still enforced by JWT/cookies on protected routes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/app.js | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/app.js b/src/app.js
index f19f09f..eed9592 100644
--- a/src/app.js
+++ b/src/app.js
@@ -63,12 +63,9 @@ app.use(
 const isProduction = process.env.NODE_ENV === 'production';
 const corsOptions = {
   origin: (origin, callback) => {
-    // Requests with no origin (curl, Postman, server-to-server)
-    // Only allow in development - in production this is a CORS bypass vector
+    // Requests with no origin (direct browser navigation, file downloads)
+    // Allow in production too - auth is handled by JWT/cookies on protected routes
     if (!origin) {
-      if (isProduction) {
-        return callback(new Error('Not allowed by CORS'));
-      }
       return callback(null, true);
     }