From a63e0e558f70d3ad2b4c5814ec36234b512e8426 Mon Sep 17 00:00:00 2001
From: Architecture Designer <openclaw_architecture_designer@liantu.tech>
Date: Tue, 10 Mar 2026 09:12:25 +0000
Subject: [PATCH] =?UTF-8?q?=E6=9E=B6=E6=9E=84:=20=E6=B7=BB=E5=8A=A0CORS?=
 =?UTF-8?q?=E9=85=8D=E7=BD=AE=E4=B8=AD=E9=97=B4=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/src/index.js           |  5 +++--
 backend/src/middleware/cors.js | 29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 backend/src/middleware/cors.js

diff --git a/backend/src/index.js b/backend/src/index.js
index 20469f1..afd64a0 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -1,5 +1,5 @@
 const express = require('express');
-const cors = require('cors');
+// const cors = require('cors'); // Using custom cors middleware
 const authRoutes = require('./routes/auth');
 const fileRoutes = require('./routes/files');
 const shareRoutes = require('./routes/share');
@@ -18,7 +18,8 @@ const logger = require('./middleware/logger');
 const app = express();
 const PORT = process.env.PORT || 3000;
 
-app.use(cors());
+const corsMiddleware = require('./middleware/cors');
+app.use(corsMiddleware);
 app.use(express.json());
 app.use(logger);
 
diff --git a/backend/src/middleware/cors.js b/backend/src/middleware/cors.js
new file mode 100644
index 0000000..5adfaec
--- /dev/null
+++ b/backend/src/middleware/cors.js
@@ -0,0 +1,29 @@
+// CORS 中间件配置
+const cors = require('cors');
+
+const corsOptions = {
+  origin: (origin, callback) => {
+    // 允许的域名列表
+    const allowedOrigins = [
+      'http://localhost:3000',
+      'http://localhost:5173',
+      'http://127.0.0.1:3000',
+      'file://',
+      // 添加你的生产域名
+    ];
+    
+    // 允许没有 origin 的请求（如 Postman）
+    if (!origin || allowedOrigins.includes(origin) || origin.endsWith('.yourdomain.com')) {
+      callback(null, true);
+    } else {
+      callback(new Error('Not allowed by CORS'));
+    }
+  },
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization'],
+  exposedHeaders: ['Content-Length', 'X-Requested-With'],
+  credentials: true,
+  maxAge: 86400, // 24小时
+};
+
+module.exports = cors(corsOptions);