fix: Resolve CORS issue for photo uploads

- Forces frontend to use HTTP for backend requests to prevent mixed content errors.
- Tightens backend CORS policy to a whitelist of allowed origins.

admin/admin.js

@@ -55,8 +55,9 @@ document.addEventListener('DOMContentLoaded', () => {
     const responseDiv = document.getElementById('response');
 
     const backendUrl = (() => {
-        const { protocol, hostname } = window.location;
+        const { hostname } = window.location;
-        return `${protocol}//${hostname}:5000`;
+        // Always use http because the backend is not serving https
+        return `http://${hostname}:5000`;
     })();
     const LAST_TAGS_KEY = 'bpb-last-tags';
     let adminPassword = '';

photo-gallery-app/backend/server.js

@@ -5,11 +5,25 @@ const mongoose = require('mongoose');
 const app = express();
 const port = process.env.PORT || 5000;
 
-app.use(cors({
+const whitelist = [
-  origin: '*', // Allow all origins for development
+    'https://preview.beachpartyballoons.com',
-  methods: ['GET', 'POST', 'PUT', 'DELETE'], // Allow common HTTP methods
+    'http://localhost:3050',
-  allowedHeaders: ['Content-Type', 'Authorization'] // Allow common headers
+    'http://127.0.0.1:3050',
-}));
+    'http://localhost:8080' // Common local dev port
+];
+const corsOptions = {
+    origin: function (origin, callback) {
+        if (whitelist.indexOf(origin) !== -1 || !origin) { // !origin allows same-origin and server-to-server
+            callback(null, true);
+        } else {
+            callback(new Error('Not allowed by CORS'));
+        }
+    },
+    methods: ['GET', 'POST', 'PUT', 'DELETE'],
+    allowedHeaders: ['Content-Type', 'Authorization']
+};
+
+app.use(cors(corsOptions));
 app.use(express.json());
 app.use('/uploads', express.static('uploads'));