架构: 添加CORS配置中间件

2026-03-10 09:12:25 +00:00 · 2026-03-10 09:12:25 +00:00 · a63e0e558f
commit a63e0e558f
parent a93ae053a4
2 changed files with 32 additions and 2 deletions
--- a/backend/src/index.js
+++ b/backend/src/index.js
@ -1,5 +1,5 @@
 const express = require('express');
-const cors = require('cors');
+// const cors = require('cors'); // Using custom cors middleware
 const authRoutes = require('./routes/auth');
 const fileRoutes = require('./routes/files');
 const shareRoutes = require('./routes/share');
@ -18,7 +18,8 @@ const logger = require('./middleware/logger');
 const app = express();
 const PORT = process.env.PORT || 3000;

-app.use(cors());
+const corsMiddleware = require('./middleware/cors');
+app.use(corsMiddleware);
 app.use(express.json());
 app.use(logger);

--- a/backend/src/middleware/cors.js
+++ b/backend/src/middleware/cors.js
@ -0,0 +1,29 @@
+// CORS 中间件配置
+const cors = require('cors');
+
+const corsOptions = {
+  origin: (origin, callback) => {
+    // 允许的域名列表
+    const allowedOrigins = [
+      'http://localhost:3000',
+      'http://localhost:5173',
+      'http://127.0.0.1:3000',
+      'file://',
+      // 添加你的生产域名
+    ];
+    
+    // 允许没有 origin 的请求（如 Postman）
+    if (!origin || allowedOrigins.includes(origin) || origin.endsWith('.yourdomain.com')) {
+      callback(null, true);
+    } else {
+      callback(new Error('Not allowed by CORS'));
+    }
+  },
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization'],
+  exposedHeaders: ['Content-Length', 'X-Requested-With'],
+  credentials: true,
+  maxAge: 86400, // 24小时
+};
+
+module.exports = cors(corsOptions);