架构: 添加CORS配置中间件

backend/src/index.js

@@ -1,5 +1,5 @@
 const express = require('express');
-const cors = require('cors');
+// const cors = require('cors'); // Using custom cors middleware
 const authRoutes = require('./routes/auth');
 const fileRoutes = require('./routes/files');
 const shareRoutes = require('./routes/share');
@@ -18,7 +18,8 @@ const logger = require('./middleware/logger');
 const app = express();
 const PORT = process.env.PORT || 3000;
 
-app.use(cors());
+const corsMiddleware = require('./middleware/cors');
+app.use(corsMiddleware);
 app.use(express.json());
 app.use(logger);
 

backend/src/middleware/cors.js

@@ -0,0 +1,29 @@
+// CORS 中间件配置
+const cors = require('cors');
+
+const corsOptions = {
+  origin: (origin, callback) => {
+    // 允许的域名列表
+    const allowedOrigins = [
+      'http://localhost:3000',
+      'http://localhost:5173',
+      'http://127.0.0.1:3000',
+      'file://',
+      // 添加你的生产域名
+    ];
+    
+    // 允许没有 origin 的请求（如 Postman）
+    if (!origin || allowedOrigins.includes(origin) || origin.endsWith('.yourdomain.com')) {
+      callback(null, true);
+    } else {
+      callback(new Error('Not allowed by CORS'));
+    }
+  },
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization'],
+  exposedHeaders: ['Content-Length', 'X-Requested-With'],
+  credentials: true,
+  maxAge: 86400, // 24小时
+};
+
+module.exports = cors(corsOptions);