fix(testkit): macOS compat + fix test 8c ordering (#24)

2026-03-18 21:01:13 -04:00
parent ca94c0a9e5
commit 83a2ec19e2
59 changed files with 4458 additions and 454 deletions
--- a/artifacts/api-server/src/app.ts
+++ b/artifacts/api-server/src/app.ts
@@ -1,14 +1,47 @@
 import express, { type Express } from "express";
 import cors from "cors";
-import router from "./routes";
+import router from "./routes/index.js";
+import { responseTimeMiddleware } from "./middlewares/response-time.js";

 const app: Express = express();

 app.set("trust proxy", 1);

-app.use(cors());
+// ── CORS (#5) ────────────────────────────────────────────────────────────────
+// CORS_ORIGINS = comma-separated list of allowed origins.
+// Default in production: alexanderwhitestone.com (and www. variant).
+// Default in development: all origins permitted.
+const isProd = process.env["NODE_ENV"] === "production";
+
+const rawOrigins = process.env["CORS_ORIGINS"];
+const allowedOrigins: string[] = rawOrigins
+  ? rawOrigins.split(",").map((o) => o.trim()).filter(Boolean)
+  : isProd
+    ? ["https://alexanderwhitestone.com", "https://www.alexanderwhitestone.com"]
+    : [];
+
+app.use(
+  cors({
+    origin:
+      allowedOrigins.length === 0
+        ? true
+        : (origin, callback) => {
+            if (!origin || allowedOrigins.includes(origin)) {
+              callback(null, true);
+            } else {
+              callback(new Error(`CORS: origin '${origin}' not allowed`));
+            }
+          },
+    credentials: true,
+    methods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+    allowedHeaders: ["Content-Type", "Authorization", "X-Session-Token"],
+    exposedHeaders: ["X-Session-Token"],
+  }),
+);
+
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
+app.use(responseTimeMiddleware);

 app.use("/api", router);