Skip to content

Develop #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CodeMeAPixel merged 13 commits into from
Mar 16, 2026
Merged

Develop #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
2c9bd83
here we go.........
CodeMeAPixel Jan 21, 2026
0f30707
updated swagger docs
CodeMeAPixel Jan 21, 2026
28e7952
chore(push): 0.3.0
CodeMeAPixel Mar 1, 2026
d50ad1a
feat(hmm): update changelog date
CodeMeAPixel Mar 1, 2026
e268f73
feat(add): github stuff
CodeMeAPixel Mar 1, 2026
7a26464
feat(add): cors fix
CodeMeAPixel Mar 16, 2026
6f6caed
chore: sync with prod
CodeMeAPixel Mar 16, 2026
ccff654
Remove AllowCredentials from CORS settings
CodeMeAPixel Mar 16, 2026
08826f2
chore: run code formatter
CodeMeAPixel Mar 16, 2026
746f013
fix: what commit conflict
CodeMeAPixel Mar 16, 2026
bbdb13c
fix: cors origins parsing issue
CodeMeAPixel Mar 16, 2026
6353710
add: cors debugging
CodeMeAPixel Mar 16, 2026
64eab15
..................
CodeMeAPixel Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion cmd/api/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,8 +221,12 @@ func setupMiddleware(app *fiber.App, sentryHandler fiber.Handler, cfg *config.Co
app.Use(logger.New(logger.Config{
Format: "[${time}] ${status} - ${latency} ${method} ${path}\n",
}))

// Log CORS origins for debugging
log.Info().Strs("cors_origins", cfg.CORSOrigins).Msg("CORS configured with origins")

app.Use(cors.New(cors.Config{
AllowOrigins: strings.Join(cfg.CORSOrigins, ","),
AllowOrigins: strings.Join(cfg.CORSOrigins, ", "),
AllowHeaders: "Origin, Content-Type, Accept, Authorization, X-API-Key",
AllowMethods: "GET, POST, PUT, DELETE, OPTIONS, PATCH",
AllowCredentials: true,
Expand Down
2 changes: 1 addition & 1 deletion internal/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ func Load() (*Config, error) {
DatabaseURL: os.Getenv("DATABASE_URL"),
RedisURL: getEnv("REDIS_URL", "localhost:6379"),
APIKey: os.Getenv("BACKEND_API_KEY"),
CORSOrigins: parseCORSOrigins(getEnv("CORS_ORIGINS", "https://nodebyte.host")),
CORSOrigins: parseCORSOrigins(getEnv("CORS_ORIGINS", "http://localhost:3000,https://nodebyte.host")),
Copy link
Copy Markdown

@sentry sentry bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The default CORS_ORIGINS includes http://localhost:3000. With AllowCredentials: true, this is a security risk if the environment variable is not explicitly set in production.
Severity: MEDIUM

Suggested Fix

Remove http://localhost:3000 from the default CORS_ORIGINS value. Alternatively, implement environment-aware defaults, providing a different, more restrictive set of origins for production environments compared to development. This ensures development origins are not accidentally enabled in production.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: internal/config/config.go#L72

Potential issue: The default value for `CORS_ORIGINS` was changed to include
`http://localhost:3000`. This origin is now allowed by default in all environments. The
CORS configuration in `cmd/api/main.go` has `AllowCredentials: true` hardcoded. If the
`CORS_ORIGINS` environment variable is not explicitly set in a production deployment,
the API will accept credentialed requests from `http://localhost:3000`. This is a
security misconfiguration that violates the principle of least privilege by including a
development-specific origin in the production default settings.

Did we get this right? 👍 / 👎 to inform future reviews.


// Panel settings
PterodactylURL: os.Getenv("PTERODACTYL_URL"),
Expand Down
Loading