Merge pull request #106 from pvdthings/dev

Release: Security Update

.github/workflows/deploy-dev.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   deploy-api:
     name: Deploy API
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
       - uses: akhileshns/heroku-deploy@v3.13.15

.github/workflows/deploy-main.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   deploy-api:
     name: Deploy API
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
       - uses: akhileshns/heroku-deploy@v3.13.15

apps/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pvdthings-api",
-  "version": "1.22.0",
+  "version": "1.22.1",
   "description": "",
   "main": "server.js",
   "scripts": {

apps/api/server.js

@@ -13,6 +13,8 @@ const lending = require('./apps/librarian');
 const cors = require('cors');
 const apiKeyMiddleware = require('./middleware/apiKey');
 
+const allowedOrigins = process.env.ACCESS_CONTROL_ALLOW_ORIGIN.split(',');
+
 const corsOptions = Object.freeze({
     allowedHeaders: [
         'Origin',
@@ -24,7 +26,13 @@ const corsOptions = Object.freeze({
         'supabase-refresh-token'
     ],
     credentials: true,
-    origin: process.env.ACCESS_CONTROL_ALLOW_ORIGIN
+    origin: (origin, callback) => {
+        if (allowedOrigins.includes(origin) || (!origin && isDevelopment())) {
+            callback(null, true);
+        } else {
+            callback(new Error('Not allowed by CORS'));
+        }
+    }
 });
 
 app.use(cors(corsOptions));