configure cors

Author: dillonfagan

apps/api/package-lock.json

@@ -21,6 +21,7 @@
     "@supabase/supabase-js": "^2.45.4",
     "airtable": "^0.12.2",
     "body-parser": "^1.20.3",
+    "cors": "^2.8.5",
     "dotenv": "^16.4.5",
     "express": "^4.21.0",
     "swagger-jsdoc": "^6.2.8",

apps/api/package.json

@@ -10,20 +10,27 @@ const bodyParser = require('body-parser');
 const auth = require('./auth');
 const things = require('./apps/catalog/routes/things');
 const lending = require('./apps/librarian');
+const cors = require('cors');
 const apiKeyMiddleware = require('./middleware/apiKey');
 
+const corsOptions = Object.freeze({
+    allowedHeaders: [
+        'Origin',
+        'x-api-key',
+        'X-Requested-With',
+        'Content-Type',
+        'Accept',
+        'supabase-access-token',
+        'supabase-refresh-token'
+    ],
+    credentials: true,
+    origin: process.env.ACCESS_CONTROL_ALLOW_ORIGIN
+});
+
+app.use(cors(corsOptions));
 app.use(apiKeyMiddleware);
 app.use(bodyParser.json());
 
-app.all('*', (req, res, next) => {
-    res.header("Access-Control-Allow-Origin", "*");
-    res.header("Access-Control-Allow-Headers", "Origin, x-api-key, X-Requested-With, Content-Type, Accept, supabase-access-token, supabase-refresh-token");
-    res.header("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD");
-    res.header("Access-Control-Allow-Credentials", "true");
-    res.header("Access-Control-Allow-Private-Network", "true");
-    next();
-});
-
 app.get('/', (_, res) => {
     res.send('You have reached the Things API');
 });