clean up comments

Eiman Eltigani · Eiman Eltigani · commit 152fad628ab6 · 2025-11-11T13:12:04.000-07:00
diff --git a/web-integrations/javascript-sdk/server-side-node/README.md b/web-integrations/javascript-sdk/server-side-node/README.md
@@ -64,7 +64,14 @@ The following table lists the environment variables that you must specify to sta
 | `UID_CSTG_SERVER_PUBLIC_KEY` | Your UID2/EUID server public key for Client-Side Token Generation. **These are public credentials.** | Your assigned public key |
 | `SESSION_KEY` | Used by the cookie-session middleware to encrypt the session data stored in cookies. | Any secure random string |
 
-> **⚠️ Important**: Your CSTG subscription must be configured with `http://localhost:3034` as an allowed origin. Contact your UID2/EUID representative to add this origin to your subscription's allowed origins list.
+### Optional Configuration
+
+| Variable | Description | Example Values |
+|:---------|:------------|:---------------|
+| `UID_CSTG_ORIGIN` | The public URL where this application is deployed. Must match your CSTG subscription's allowed origins. Defaults to `http://localhost:PORT`. | `https://your-domain.com` (production)<br/>`http://localhost:3034` (default) |
+| `PORT` | Port number for the server | `3034` (default) |
+
+> **⚠️ Important**: Your CSTG subscription must be configured with an allowed origin that matches where your application is deployed. For production deployments, set `UID_CSTG_ORIGIN` to your application's public URL (e.g., `https://your-domain.com`). For local development, it automatically defaults to `http://localhost:PORT`.
 
 ### Display/UI Configuration
 
diff --git a/web-integrations/javascript-sdk/server-side-node/server.js b/web-integrations/javascript-sdk/server-side-node/server.js
@@ -1,54 +1,52 @@
 "use strict";
 
-// Load environment variables from .env file (for local development)
+// Load environment variables 
 require('dotenv').config({ path: '../../../.env' });
 
 const session = require('cookie-session');
 const ejs = require('ejs');
 const express = require('express');
-const nocache = require('nocache');
-const { JSDOM } = require('jsdom');
 const crypto = require('crypto');
-const util = require('util');
-const XMLHttpRequest = require('xhr2');
+const nocache = require('nocache');
+
 
 const app = express();
 const port = process.env.PORT || 3034;
 
 let uidBaseUrl = process.env.UID_SERVER_BASE_URL;
 const subscriptionId = process.env.UID_CSTG_SUBSCRIPTION_ID;
 const serverPublicKey = process.env.UID_CSTG_SERVER_PUBLIC_KEY;
-
-// UI/Display configuration
 const identityName = process.env.IDENTITY_NAME;
 const docsBaseUrl = process.env.DOCS_BASE_URL;
 
-// SDK will be loaded dynamically (it's an ES module)
-let SdkClass = null;
 
-// Initialize UID JavaScript SDK in a simulated browser environment using jsdom
-// This demonstrates that the client-side SDK works in Node.js with jsdom
+// additional packages/variables needed to ensure compabitibility with the SDK
+const { JSDOM } = require('jsdom'); // for simulating a browser environment
+const util = require('util'); // for polyfilling TextEncoder and TextDecoder
+const XMLHttpRequest = require('xhr2'); // for making HTTP requests
+const clientOrigin = process.env.UID_CSTG_ORIGIN || `http://localhost:${port}`; // Client origin: the URL where this app is accessible
+
+
+// Create a virtual DOM environment for the SDK to run in
+let SdkClass = null;
 let uidSdk = null;
 let dom = null;
 
 async function initializeSDK() {
-  // Create a virtual DOM environment for the SDK to run in
-  // NOTE: The origin 'http://localhost:3034' must be added to your CSTG subscription's
-  // allowed origins list by your UID2/EUID representative
   dom = new JSDOM('<!DOCTYPE html><html><body></body></html>', {
-    url: 'http://localhost:3034',
+    url: clientOrigin,
     runScripts: 'dangerously',
     resources: 'usable',
     pretendToBeVisual: true,
   });
   
-  // Set global variables for the SDK (SDK expects browser globals)
+  // Polyfills for Browser APIs, SDK uses them extensively (e.g., for token storage or making network requests
   global.window = dom.window;
   global.document = dom.window.document;
   global.navigator = dom.window.navigator;
   global.localStorage = dom.window.localStorage;
   
-  // Polyfill Web Crypto API for jsdom (SDK uses crypto.subtle for encryption)
+  // Polyfill Web Crypto API for jsdom (SDK uses crypto.subtle for AES-GCM encryption/decryption)
   Object.defineProperty(dom.window, 'crypto', {
     value: crypto.webcrypto,
     writable: false,
@@ -62,27 +60,41 @@ async function initializeSDK() {
   dom.window.TextDecoder = util.TextDecoder;
   
   // Polyfill XMLHttpRequest with Origin header support
-  // The SDK needs the Origin header to be set for CSTG validation
   const OriginalXHR = XMLHttpRequest;
   class XMLHttpRequestWithOrigin extends OriginalXHR {
     constructor() {
       super();
-      this._origin = 'http://localhost:3034';
+      this._origin = clientOrigin;
+      this._customHeaders = {};
     }
     
     open(method, url, async) {
       const result = super.open(method, url, async);
-      // Set Origin header immediately after open (required for CSTG)
-      super.setRequestHeader('Origin', this._origin);
       return result;
     }
+    
+    setRequestHeader(header, value) {
+      // Allow 'Origin' header that xhr2 normally blocks
+      this._customHeaders[header] = value;
+      if (header.toLowerCase() !== 'origin') {
+        return super.setRequestHeader(header, value);
+      }
+    }
+    
+    send(body) {
+      if (!this._headers) {
+        this._headers = {};
+      }
+      this._headers.origin = this._origin;
+      
+      return super.send(body);
+    }
   }
   
   global.XMLHttpRequest = XMLHttpRequestWithOrigin;
   dom.window.XMLHttpRequest = XMLHttpRequestWithOrigin;
   
   try {
-    // Dynamically import the SDK (it's an ES module)
     const isEUID = identityName && identityName.toUpperCase() === 'EUID';
     if (isEUID) {
       const { EUID } = await import('@unified-id/euid-sdk');
@@ -92,10 +104,8 @@ async function initializeSDK() {
       SdkClass = UID2;
     }
     
-    // Instantiate the SDK (UID2 or EUID based on config)
+    // Instantiate the SDK (UID2 or EUID based on config) with base URL
     uidSdk = new SdkClass();
-    
-    // Initialize the SDK with base URL
     uidSdk.init({ baseUrl: uidBaseUrl });
     
     return uidSdk;
@@ -121,9 +131,6 @@ app.use(nocache());
 
 // Routes
 
-/**
- * Main page - shows login form or identity result
- */
 app.get('/', (req, res) => {
   res.render('index', {
     identity: req.session.identity || null,
@@ -200,9 +207,6 @@ app.post('/login', async (req, res) => {
   }
 });
 
-/**
- * Logout endpoint - clears session and returns to main page
- */
 app.get('/logout', (req, res) => {
   if (uidSdk && uidSdk.disconnect) {
     uidSdk.disconnect();
