Spaces:

broadfield-dev
/

KeyLock-RSA-JS

Sleeping

App Files Files Community

broadfield-dev commited on Jun 7

Commit

e34feda

verified ·

1 Parent(s): be9835b

Update index.js

Browse files

Files changed (1) hide show

index.js +35 -7

index.js CHANGED Viewed

@@ -6,15 +6,38 @@ const { decodeFromImageBuffer } = require('./decoder'); // Import our logic
 const app = express();
 const PORT = process.env.PORT || 7860;
-// Looser CORS for testing, tighten this in a real production environment
-app.use(cors());
-// --- 1. HEALTH CHECK ENDPOINT ---
-// You can visit this in your browser to see if the server is running.
 app.get('/', (req, res) => {
     res.status(200).json({
         status: 'ok',
-        message: 'Secure Decoder API is running.'
     });
 });
@@ -23,9 +46,9 @@ const upload = multer({
     limits: { fileSize: 5 * 1024 * 1024 }, // 5MB limit
 });
-// --- 2. DECODE API ENDPOINT ---
 app.post('/api/decode', upload.single('authImage'), async (req, res) => {
-    console.log("Received a request to /api/decode");
     const privateKey = process.env.PLUGIN_PRIVATE_KEY;
     if (!privateKey) {
@@ -49,6 +72,11 @@ app.post('/api/decode', upload.single('authImage'), async (req, res) => {
 app.listen(PORT, () => {
     console.log(`Secure decoder API listening on port ${PORT}`);
     if (!process.env.PLUGIN_PRIVATE_KEY) {
         console.warn("WARNING: PLUGIN_PRIVATE_KEY environment variable is not set. The /api/decode endpoint will fail.");
     } else {

 const app = express();
 const PORT = process.env.PORT || 7860;
+// --- 1. SECURE CORS CONFIGURATION ---
+// Define the list of allowed client origins from an environment variable.
+// This allows you to change the allowed origins without changing the code.
+// The variable should be a comma-separated list of URLs.
+const allowedOrigins = process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS.split(',') : [];
+const corsOptions = {
+  origin: (origin, callback) => {
+    // 'origin' will be undefined for server-to-server requests or curl.
+    // Allow requests with no origin OR if the origin is in our whitelist.
+    if (!origin || allowedOrigins.indexOf(origin) !== -1) {
+      callback(null, true);
+    } else {
+      // If the origin is not in the whitelist, reject the request.
+      callback(new Error(`Not allowed by CORS. Origin: ${origin}`));
+    }
+  },
+  methods: ['GET', 'POST'], // Allow only specific methods
+};
+// Use the configured CORS middleware
+app.use(cors(corsOptions));
+// --- 2. HEALTH CHECK ENDPOINT ---
 app.get('/', (req, res) => {
     res.status(200).json({
         status: 'ok',
+        message: 'Secure Decoder API is running.',
+        // Also report which origins are allowed, for easy debugging.
+        allowed_origins: allowedOrigins.length > 0 ? allowedOrigins : "None configured (check ALLOWED_ORIGINS secret)."
     });
 });
     limits: { fileSize: 5 * 1024 * 1024 }, // 5MB limit
 });
+// --- 3. DECODE API ENDPOINT ---
 app.post('/api/decode', upload.single('authImage'), async (req, res) => {
+    console.log(`Received a request to /api/decode from origin: ${req.get('origin') || 'unknown'}`);
     const privateKey = process.env.PLUGIN_PRIVATE_KEY;
     if (!privateKey) {
 app.listen(PORT, () => {
     console.log(`Secure decoder API listening on port ${PORT}`);
+    if (allowedOrigins.length > 0) {
+        console.log(`CORS whitelist enabled for the following origins: ${allowedOrigins.join(', ')}`);
+    } else {
+        console.warn("WARNING: No CORS origins are whitelisted. Set the ALLOWED_ORIGINS secret. All cross-origin requests will be blocked.");
+    }
     if (!process.env.PLUGIN_PRIVATE_KEY) {
         console.warn("WARNING: PLUGIN_PRIVATE_KEY environment variable is not set. The /api/decode endpoint will fail.");
     } else {