feat: update cors and base config

Author: JDIZM

.env.example

@@ -2,8 +2,7 @@
 ## prisma 
 ###
 DATABASE_URL=mongodb://root:example@localhost:27017/dbname
-APP_URL=http://localhost
-PORT=3000
+PORT=4000
 
 ###
 # GCP // Firebase credentials.

docker-compose.yml

@@ -5,11 +5,10 @@ services:
     environment:
       - NODE_ENV=${NODE_ENV:-development}
       - DATABASE_URL=${DATABASE_URL}
-      - APP_URL=${APP_URL}
       - PORT=${PORT}
     ports:
       - "${PORT}:${PORT}"
     volumes:
       # set the GOOGLE_APPLICATION_CREDENTIALS env variable to the path of the gcloud.json file
-      # - $HOME/gcloud.json:/app/gcloud.json
+      # will use the default path if not set. If shell env is set it will take precedence.
       - ${GOOGLE_APPLICATION_CREDENTIALS:-$HOME/gcloud.json}:/app/gcloud.json

src/config.ts

@@ -10,6 +10,5 @@ if (ENV !== "production") {
 
 export const config = {
   env: ENV,
-  port: process.env.PORT || 3000,
-  appUrl: process.env.APP_URL ?? "http://localhost:3000"
+  port: process.env.PORT || 4000
 };

src/helpers/cors.ts

@@ -0,0 +1,18 @@
+export const whitelist: RegExp[] = [
+  /^https?:\/\/localhost:3000$/,
+  /^https?:\/\/example\.com$/,
+  /^https?:\/\/subdomain\.example\.com$/
+  // Add more patterns as needed
+];
+
+export const corsOptions = {
+  origin: function (origin: string | undefined, callback: (a: null | Error, b?: boolean) => void) {
+    const isOriginAllowed = origin ? whitelist.some((pattern) => pattern.test(origin)) : true;
+
+    if (isOriginAllowed) {
+      callback(null, true);
+    } else {
+      callback(new Error("Not allowed by CORS"));
+    }
+  }
+};

src/server.ts

@@ -3,6 +3,9 @@ import { pinoHttp } from "pino-http";
 import { config } from "./config.js";
 import { routes } from "./routes/index.js";
 import cors from "cors";
+import helmet from "helmet";
+import cookieParser from "cookie-parser";
+import { corsOptions } from "./helpers/cors.ts";
 
 const { logger } = pinoHttp();
 
@@ -20,29 +23,40 @@ checkConfigIsValid();
 
 const app = express();
 
+//
+// Middleware
+//
+
+// Logger
 app.use(
   pinoHttp({
     logger
   })
 );
 
+app.use(
+  helmet({
+    contentSecurityPolicy: false,
+    xDownloadOptions: false
+  })
+);
+app.use(cookieParser());
+
 // parse application/x-www-form-urlencoded
 app.use(express.urlencoded({ extended: true }));
 
 // parse application/json
 app.use(express.json());
 
-const corsWhitelist = [`http://localhost:${config.port}`, config.appUrl];
-
-const corsOptions = {
-  origin: corsWhitelist,
-  optionsSuccessStatus: 204
-};
-
+// CORS
 app.use(cors(corsOptions));
+app.options("*", cors(corsOptions));
 
+//
+// Routes
+//
 routes(app);
 
 app.listen(config.port, () => {
-  console.log(`[server]: Server is running at ${config.appUrl}:${config.port}`);
+  logger.info(`[server]: Server is running on port: ${config.port}`);
 });