From 56f9052619beeb4e09f6fc880e1bb02b2e4b91c6 Mon Sep 17 00:00:00 2001
From: grich88 <grich88@example.com>
Date: Wed, 12 Nov 2025 03:11:13 +1100
Subject: [PATCH] Fix CORS misconfiguration - Use specific origins instead of
 wildcard (Issue #356)

---
 .../packages/backend/api/src/app/server.ts    | 25 +++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/workflow/packages/backend/api/src/app/server.ts b/workflow/packages/backend/api/src/app/server.ts
index 848ced9d..f62d004f 100644
--- a/workflow/packages/backend/api/src/app/server.ts
+++ b/workflow/packages/backend/api/src/app/server.ts
@@ -74,10 +74,31 @@ async function setupBaseApp(): Promise<FastifyInstance> {
 
     await app.register(formBody, { parser: (str) => qs.parse(str) })
     app.setErrorHandler(errorHandler)
+    
+    // FIX: CORS misconfiguration - Use specific allowed origins instead of wildcard
+    // This prevents cross-origin data theft from authenticated sessions
+    // Related to Issue #356
+    const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(',') || [
+        'https://app.aixblock.io',
+        'https://workflow-live.aixblock.io',
+    ];
+    
     await app.register(cors, {
-        origin: '*',
+        origin: (origin, callback) => {
+            // Allow requests with no origin (like mobile apps or curl requests)
+            if (!origin) {
+                return callback(null, true);
+            }
+            
+            if (allowedOrigins.includes(origin)) {
+                callback(null, true);
+            } else {
+                callback(new Error('Not allowed by CORS'), false);
+            }
+        },
+        credentials: true,
         exposedHeaders: ['*'],
-        methods: ['*'],
+        methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
     })
     // SurveyMonkey
     app.addContentTypeParser(