From 962201975b8ab680ecee5e2332107cf491e452b6 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 24 Nov 2025 16:39:19 -0500 Subject: [PATCH] fix: Resolve CORS issue for photo uploads - Forces frontend to use HTTP for backend requests to prevent mixed content errors. - Tightens backend CORS policy to a whitelist of allowed origins. --- admin/admin.js | 5 +++-- photo-gallery-app/backend/server.js | 24 +++++++++++++++++++----- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/admin/admin.js b/admin/admin.js index a82f9bc..c5d5318 100644 --- a/admin/admin.js +++ b/admin/admin.js @@ -55,8 +55,9 @@ document.addEventListener('DOMContentLoaded', () => { const responseDiv = document.getElementById('response'); const backendUrl = (() => { - const { protocol, hostname } = window.location; - return `${protocol}//${hostname}:5000`; + const { hostname } = window.location; + // Always use http because the backend is not serving https + return `http://${hostname}:5000`; })(); const LAST_TAGS_KEY = 'bpb-last-tags'; let adminPassword = ''; diff --git a/photo-gallery-app/backend/server.js b/photo-gallery-app/backend/server.js index fa29923..5c30128 100644 --- a/photo-gallery-app/backend/server.js +++ b/photo-gallery-app/backend/server.js @@ -5,11 +5,25 @@ const mongoose = require('mongoose'); const app = express(); const port = process.env.PORT || 5000; -app.use(cors({ - origin: '*', // Allow all origins for development - methods: ['GET', 'POST', 'PUT', 'DELETE'], // Allow common HTTP methods - allowedHeaders: ['Content-Type', 'Authorization'] // Allow common headers -})); +const whitelist = [ + 'https://preview.beachpartyballoons.com', + 'http://localhost:3050', + 'http://127.0.0.1:3050', + 'http://localhost:8080' // Common local dev port +]; +const corsOptions = { + origin: function (origin, callback) { + if (whitelist.indexOf(origin) !== -1 || !origin) { // !origin allows same-origin and server-to-server + callback(null, true); + } else { + callback(new Error('Not allowed by CORS')); + } + }, + methods: ['GET', 'POST', 'PUT', 'DELETE'], + allowedHeaders: ['Content-Type', 'Authorization'] +}; + +app.use(cors(corsOptions)); app.use(express.json()); app.use('/uploads', express.static('uploads'));