foxerBN/crm-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Allow no-origin requests for file downloads

Browse Source 
CORS was blocking direct browser navigation/downloads in production.
Auth is still enforced by JWT/cookies on protected routes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
richardtekula
2026-01-30 10:37:34 +01:00
parent fc2cf1acc2
commit 8166b341ce
1 changed files with 2 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/app.js
View File

@@ -63,12 +63,9 @@ app.use(
const isProduction = process.env.NODE_ENV === 'production'; const isProduction = process.env.NODE_ENV === 'production';
const corsOptions = { const corsOptions = {
origin: (origin, callback) => { origin: (origin, callback) => {
// Requests with no origin (curl, Postman, server-to-server) // Requests with no origin (direct browser navigation, file downloads)
// Only allow in development - in production this is a CORS bypass vector // Allow in production too - auth is handled by JWT/cookies on protected routes
if (!origin) { if (!origin) {
if (isProduction) {
return callback(new Error('Not allowed by CORS'));
}
return callback(null, true); return callback(null, true);
} }