refactor cors

Author: markusweblance

src/interfaces/adminpanelConfig.ts

@@ -258,7 +258,8 @@ export interface AdminpanelConfig {
 
     cors?: {
         enabled: boolean;
-        origin?: string[];
+        origin: string[] | string;
+        path: string
         credentials?: boolean;
         methods?: string[];
         allowedHeaders?: string[];

src/lib/Adminizer.ts

@@ -40,6 +40,7 @@ import {bindNotifications} from "../system/bindNotifications";
 import {INotification} from "../interfaces/types";
 import {MediaManagerHandler} from "./media-manager/MediaManagerHandler";
 import {StorageServices} from "./catalog/Navigation";
+import {bindCors} from "../system/bindCors";
 
 export class Adminizer {
     // Preconfigures
@@ -212,60 +213,9 @@ export class Adminizer {
             }
         };
 
-        // Middleware для всех API маршрутов
-        const defaultOrigin = process.env.FRONTEND_URL || 'http://localhost:8080';
+        // Bind cors
+        bindCors(this)
 
-        if (config?.cors?.enabled) {
-            const corsConfig = config.cors;
-
-            // Поддерживаем массив разрешенных origin
-            const allowedOrigins = Array.isArray(corsConfig.origin)
-                ? corsConfig.origin
-                : [corsConfig.origin || defaultOrigin];
-
-            this.app.all(`${this.config.routePrefix}/api/*`, (req: any, res: any, next: any) => {
-                const requestOrigin = req.headers.origin;
-
-                // Проверяем разрешен ли origin
-                const isOriginAllowed = !requestOrigin || allowedOrigins.includes(requestOrigin);
-
-
-                if (requestOrigin && !isOriginAllowed) {
-                    console.log(`❌ CORS: Blocked request from ${requestOrigin}`);
-
-                    if (req.method === 'OPTIONS') {
-                        // Для preflight - 200 без CORS headers
-                        return res.status(200).end();
-                    } else {
-                        // Для основных запросов - ошибка
-                        return res.status(403).json({
-                            error: 'CORS policy: Origin not allowed'
-                        });
-                    }
-                }
-
-                // Запрос с разрешенного origin или без Origin
-                if (isOriginAllowed) {
-                    // Для CORS запросов возвращаем тот же origin (или первый из списка)
-                    const allowOrigin = requestOrigin || allowedOrigins[0];
-                    res.header('Access-Control-Allow-Origin', allowOrigin);
-                    res.header('Access-Control-Allow-Credentials',
-                        corsConfig.credentials !== false ? 'true' : 'false');
-                    res.header('Access-Control-Allow-Methods',
-                        corsConfig.methods?.join(',') || 'GET,POST,PUT,DELETE,OPTIONS');
-                    res.header('Access-Control-Allow-Headers',
-                        corsConfig.allowedHeaders?.join(',') || 'Content-Type,Authorization,X-Requested-With,X-CSRF-Token,x-xsrf-token');
-                }
-
-                if (req.method === 'OPTIONS') {
-                    return res.status(200).end();
-                }
-
-                next();
-            });
-
-            console.log('✅ API CORS middleware enabled. Allowed origins:', allowedOrigins);
-        }
         // set cookie parser
         this.app.use(cookieParser());
 

src/system/Router.ts

@@ -86,7 +86,9 @@ export default class Router {
          * */
         adminizer.app.all(`${adminizer.config.routePrefix}/form/:slug`, adminizer.policyManager.bindPolicies(policies, _form));
 
-        // Create a base entity route
+        /**
+         *  Create a base entity route
+         */
         let baseRoute = `${adminizer.config.routePrefix}/:entityType(form|model)/:entityName`;
 
         /**

src/system/bindCors.ts

@@ -0,0 +1,54 @@
+import {Adminizer} from "../lib/Adminizer";
+
+export function bindCors(adminizer: Adminizer){
+    if (adminizer.config?.cors?.enabled) {
+        const corsConfig = adminizer.config.cors;
+
+        // Поддерживаем массив разрешенных origin
+        const allowedOrigins = Array.isArray(corsConfig.origin)
+            ? corsConfig.origin
+            : [corsConfig.origin];
+
+        this.app.all(`${adminizer.config.routePrefix}/${corsConfig.path}`, (req: any, res: any, next: any) => {
+            const requestOrigin = req.headers.origin;
+
+            // Проверяем разрешен ли origin
+            const isOriginAllowed = !requestOrigin || allowedOrigins.includes(requestOrigin);
+
+            if (requestOrigin && !isOriginAllowed) {
+                console.log(`❌ CORS: Blocked request from ${requestOrigin}`);
+
+                if (req.method === 'OPTIONS') {
+                    // Для preflight - 200 без CORS headers
+                    return res.status(200).end();
+                } else {
+                    // Для основных запросов - ошибка
+                    return res.status(403).json({
+                        error: 'CORS policy: Origin not allowed'
+                    });
+                }
+            }
+
+            // Запрос с разрешенного origin или без Origin
+            if (isOriginAllowed) {
+                // Для CORS запросов возвращаем тот же origin (или первый из списка)
+                const allowOrigin = requestOrigin || allowedOrigins[0];
+                res.header('Access-Control-Allow-Origin', allowOrigin);
+                res.header('Access-Control-Allow-Credentials',
+                    corsConfig.credentials !== false ? 'true' : 'false');
+                res.header('Access-Control-Allow-Methods',
+                    corsConfig.methods?.join(',') || 'GET,POST,PUT,DELETE,OPTIONS');
+                res.header('Access-Control-Allow-Headers',
+                    corsConfig.allowedHeaders?.join(',') || 'Content-Type,Authorization,X-Requested-With,X-CSRF-Token,x-xsrf-token');
+            }
+
+            if (req.method === 'OPTIONS') {
+                return res.status(200).end();
+            }
+
+            next();
+        });
+
+        console.log('✅ API CORS middleware enabled. Allowed origins:', allowedOrigins);
+    }
+}

src/system/defaults.ts

@@ -157,6 +157,8 @@ let adminpanelConfig: AdminpanelConfig = {
     },
     cors: {
         enabled: false,
+        origin: 'http://localhost:8080',
+        path: 'api/*'
     },
     mediamanager: {
         fileStoragePath: '.tmp/public',