fix: add CORS headers and trust proxy for rate limiter
- Added CORS middleware allowing docfast.dev origin
- Added app.set('trust proxy', 1) to fix ERR_ERL_UNEXPECTED_X_FORWARDED_FOR
- The rate limiter was crashing on every proxied request through nginx
This commit is contained in:
parent
7f04789997
commit
6276d61aa3
1 changed files with 20 additions and 0 deletions
20
src/index.ts
20
src/index.ts
|
|
@ -21,11 +21,31 @@ const PORT = parseInt(process.env.PORT || "3100", 10);
|
|||
loadKeys();
|
||||
|
||||
app.use(helmet());
|
||||
|
||||
// CORS — allow browser requests from the landing page
|
||||
app.use((req, res, next) => {
|
||||
const origin = req.headers.origin;
|
||||
const allowed = ["https://docfast.dev", "http://localhost:3100"];
|
||||
if (origin && allowed.includes(origin)) {
|
||||
res.setHeader("Access-Control-Allow-Origin", origin);
|
||||
}
|
||||
res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
|
||||
res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-API-Key");
|
||||
res.setHeader("Access-Control-Max-Age", "86400");
|
||||
if (req.method === "OPTIONS") {
|
||||
res.status(204).end();
|
||||
return;
|
||||
}
|
||||
next();
|
||||
});
|
||||
// Raw body for Stripe webhook signature verification
|
||||
app.use("/v1/billing/webhook", express.raw({ type: "application/json" }));
|
||||
app.use(express.json({ limit: "2mb" }));
|
||||
app.use(express.text({ limit: "2mb", type: "text/*" }));
|
||||
|
||||
// Trust nginx proxy
|
||||
app.set("trust proxy", 1);
|
||||
|
||||
// Rate limiting
|
||||
const limiter = rateLimit({
|
||||
windowMs: 60_000,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue