From 7e776fe2e6418c285eb140067c162b2988142e69 Mon Sep 17 00:00:00 2001
From: Mika Vohl <103958325+MikaVohl@users.noreply.github.com>
Date: Sat, 7 Dec 2024 16:54:38 -0500
Subject: [PATCH] Bugfix/allow cors (#941)

* Allowed vercel automatic branch deployments in CORS policy

* Reject non-origin requests
---
 app.js | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/app.js b/app.js
index 2b067bdf..7efd85cc 100755
--- a/app.js
+++ b/app.js
@@ -43,17 +43,31 @@ if (!Services.env.isProduction()) {
         credentials: true
     };
 } else {
-    // TODO: change this when necessary
     corsOptions = {
-        origin: [
-            `https://${process.env.FRONTEND_ADDRESS_DEPLOY}`,
-            `https://${process.env.FRONTEND_ADDRESS_BETA}`,
-            `https://docs.mchacks.ca`
-        ],
+        origin: (origin, callback) => {
+            const allowedOrigins = [
+                `https://${process.env.FRONTEND_ADDRESS_DEPLOY}`,
+                `https://${process.env.FRONTEND_ADDRESS_BETA}`,
+                `https://docs.mchacks.ca`
+            ];
+
+            const regex = /^https:\/\/dashboard-[\w-]+\.vercel\.app$/;
+
+            if (
+                allowedOrigins.includes(origin) || // Explicitly allowed origins
+                regex.test(origin)                 // Matches dashboard subdomains
+            ) {
+                callback(null, true);
+            } else {
+                callback(new Error('Not allowed by CORS'));
+            }
+        },
         credentials: true
     };
 }
 
+
+
 app.use(cors(corsOptions));
 app.use(Services.log.requestLogger);
 app.use(Services.log.errorLogger);