From 93b1e2370c3beaf96752fc0bab1f6f1a95f80917 Mon Sep 17 00:00:00 2001 From: Socorro DominguezVidana Date: Mon, 29 Jun 2026 14:56:19 -0700 Subject: [PATCH] API-56 Fixed allowed domains, allow localhost to run for explorer when being deployed locally and on dev mode --- app.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app.js b/app.js index 4615723..6e99048 100755 --- a/app.js +++ b/app.js @@ -38,14 +38,15 @@ const limiter = rateLimiter({ app.engine('html', require('ejs').renderFile); const {optionalAuth} = require('./v2.0/helpers/validation/sessionauth'); -const allowedOrigins = ['https://data.neotomadb.org', 'https://apps.neotomadb.org']; +const allowedOrigins = ['https://data.neotomadb.org', 'https://apps.neotomadb.org', 'https://yanbingchen.site']; const localhostRe = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/; const corsOptions = { origin: function(origin, callback) { if (!origin) return callback(null, true); // server-to-server, curl, R package if (allowedOrigins.includes(origin)) return callback(null, true); - if (env !== 'production' && localhostRe.test(origin)) return callback(null, true); + if (localhostRe.test(origin)) return callback(null, true); + console.error(`CORS rejected origin: ${origin}`); return callback(new Error(`CORS: origin ${origin} not allowed`)); }, credentials: true,