chore: improve cors

2026-02-25 02:13:00 +08:00 · 2026-02-24 00:51:08 +08:00
parent 744c78abbb
commit e617740974
2 changed files with 44 additions and 17 deletions
--- a/packages/backend/server/src/core/telemetry/service.ts
+++ b/packages/backend/server/src/core/telemetry/service.ts
@@ -6,6 +6,8 @@ import { TelemetryDeduper } from './deduper';
 import { Ga4Client } from './ga4-client';
 import { TelemetryAck, TelemetryBatch } from './types';

+const TELEMETRY_ROUTE_PATTERN = /\/api\/telemetry(?:\/|$)/;
+
@Injectable()
 export class TelemetryService {
  private readonly logger = new Logger(TelemetryService.name);
@@ -71,6 +73,13 @@ export class TelemetryService {
    return false;
  }

+  getAllowedOrigins(routePath?: string): string[] {
+    if (routePath && TELEMETRY_ROUTE_PATTERN.test(routePath)) {
+      return [...this.allowedOrigins];
+    }
+    return [];
+  }
+
  async collectBatch(batch: TelemetryBatch): Promise<TelemetryAck> {
    if (!batch || batch.schemaVersion !== 1 || !Array.isArray(batch.events)) {
      return {
--- a/packages/backend/server/src/server.ts
+++ b/packages/backend/server/src/server.ts
@@ -18,9 +18,11 @@ import {
 } from './base';
 import { SocketIoAdapter } from './base/websocket';
 import { AuthGuard } from './core/auth';
+import { TelemetryService } from './core/telemetry/service';
 import { serverTimingAndCache } from './middleware/timing';

 const OneMB = 1024 * 1024;
+
 export async function run() {
  const { AppModule } = await import('./app.module');

@@ -37,25 +39,41 @@ export async function run() {
  app.useLogger(logger);
  const config = app.get(Config);
  const url = app.get(URLHelper);
+  let telemetry: TelemetryService | null = null;
+  try {
+    telemetry = app.get(TelemetryService, { strict: false });
+  } catch {
+    telemetry = null;
+  }

-  const allowedOrigins = buildCorsAllowedOrigins(url);
+  const defaultAllowedOrigins = buildCorsAllowedOrigins(url);

-  app.enableCors({
-    origin: (origin, callback) => {
-      corsOriginCallback(
-        origin,
-        allowedOrigins,
-        blockedOrigin =>
-          logger.warn(`Blocked CORS request from origin: ${blockedOrigin}`),
-        callback
-      );
-    },
-    credentials: true,
-    methods: CORS_ALLOWED_METHODS,
-    allowedHeaders: CORS_ALLOWED_HEADERS,
-    exposedHeaders: CORS_EXPOSED_HEADERS,
-    maxAge: 86400,
-    optionsSuccessStatus: 204,
+  app.enableCors((req, callback) => {
+    const requestPath = req.path ?? req.url ?? '';
+    const appendedOrigins = telemetry?.getAllowedOrigins(requestPath) ?? [];
+    const finalAllowedOrigins = appendedOrigins.length
+      ? new Set([...defaultAllowedOrigins, ...appendedOrigins])
+      : defaultAllowedOrigins;
+
+    callback(null, {
+      origin: (origin, originCallback) => {
+        corsOriginCallback(
+          origin,
+          finalAllowedOrigins,
+          blockedOrigin =>
+            logger.warn(`Blocked CORS request from origin: ${blockedOrigin}`, {
+              requestPath,
+            }),
+          originCallback
+        );
+      },
+      credentials: true,
+      methods: CORS_ALLOWED_METHODS,
+      allowedHeaders: CORS_ALLOWED_HEADERS,
+      exposedHeaders: CORS_EXPOSED_HEADERS,
+      maxAge: 86400,
+      optionsSuccessStatus: 204,
+    });
  });

  if (config.server.path) {