CORS security ulnerability fixed with a secure origin validation function

Author: Kuzma02

server/app.js

@@ -15,14 +15,40 @@ var cors = require("cors");
 
 const app = express();
 
+const allowedOrigins = [
+  'http://localhost:3000',
+  'http://localhost:3001',
+  process.env.NEXTAUTH_URL,
+  process.env.FRONTEND_URL,
+].filter(Boolean); // Remove undefined values
+
+// CORS configuration with origin validation
+const corsOptions = {
+  origin: function (origin, callback) {
+
+    if (!origin) return callback(null, true);
+    
+
+    if (allowedOrigins.includes(origin)) {
+      return callback(null, true);
+    }
+    
+
+    if (process.env.NODE_ENV === 'development' && origin.startsWith('http://localhost:')) {
+      return callback(null, true);
+    }
+    
+    // Reject other origins
+    const msg = 'The CORS policy for this site does not allow access from the specified Origin.';
+    return callback(new Error(msg), false);
+  },
+  methods: ["GET", "POST", "PUT", "DELETE"],
+  allowedHeaders: ["Content-Type", "Authorization"],
+  credentials: true, // Allow cookies and authorization headers
+};
+
 app.use(express.json());
-app.use(
-  cors({
-    origin: "*",
-    methods: ["GET", "POST", "PUT", "DELETE"],
-    allowedHeaders: ["Content-Type", "Authorization"],
-  })
-);
+app.use(cors(corsOptions));
 app.use(fileUpload());
 
 app.use("/api/products", productsRouter);