From 185ce22ce98e4a12b875d08b06beaa8bbd8b99e0 Mon Sep 17 00:00:00 2001 From: Nicolas Meienberger Date: Sat, 10 Jan 2026 13:22:57 +0100 Subject: [PATCH] feat: configurable trusted origins --- README.md | 3 ++- app/lib/auth.ts | 5 ++--- app/server/app.ts | 5 +++++ app/server/core/config.ts | 2 ++ 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4f504ad7..94c166ad 100644 --- a/README.md +++ b/README.md @@ -80,9 +80,10 @@ Zerobyte can be customized using environment variables. Below are the available | :-------------------- | :----------------------------------------------------------------------------------------------------------------- | :--------- | | `PORT` | The port the web interface and API will listen on. | `4096` | | `RESTIC_HOSTNAME` | The hostname used by Restic when creating snapshots. Automatically detected if a custom hostname is set in Docker. | `zerobyte` | +| `TZ` | Timezone for the container (e.g., `Europe/Paris`). **Crucial for accurate backup scheduling.** | `UTC` | +| `TRUSTED_ORIGINS` | Comma-separated list of trusted origins for CORS (e.g., `http://localhost:3000,http://example.com`). | (none) | | `LOG_LEVEL` | Logging verbosity. Options: `debug`, `info`, `warn`, `error`. | `info` | | `SERVER_IDLE_TIMEOUT` | Idle timeout for the server in seconds. | `60` | -| `TZ` | Timezone for the container (e.g., `Europe/Paris`). **Crucial for accurate backup scheduling.** | `UTC` | ### Secret References diff --git a/app/lib/auth.ts b/app/lib/auth.ts index 20631681..3e4b3feb 100644 --- a/app/lib/auth.ts +++ b/app/lib/auth.ts @@ -11,12 +11,14 @@ import { convertLegacyUserOnFirstLogin } from "./auth-middlewares/convert-legacy import { cryptoUtils } from "~/server/utils/crypto"; import { db } from "~/server/db/db"; import { ensureOnlyOneUser } from "./auth-middlewares/only-one-user"; +import { config } from "~/server/core/config"; export type AuthMiddlewareContext = MiddlewareContext>; const createBetterAuth = (secret: string) => betterAuth({ secret, + trustedOrigins: config.trustedOrigins ?? ["*"], hooks: { before: createAuthMiddleware(async (ctx) => { await ensureOnlyOneUser(ctx); @@ -55,9 +57,6 @@ const createBetterAuth = (secret: string) => }, }), ], - advanced: { - disableOriginCheck: true, - }, }); type Auth = ReturnType; diff --git a/app/server/app.ts b/app/server/app.ts index e5bae37e..f127d431 100644 --- a/app/server/app.ts +++ b/app/server/app.ts @@ -1,5 +1,6 @@ import { Scalar } from "@scalar/hono-api-reference"; import { Hono } from "hono"; +import { cors } from "hono/cors"; import { logger as honoLogger } from "hono/logger"; import { secureHeaders } from "hono/secure-headers"; import { rateLimiter } from "hono-rate-limiter"; @@ -38,6 +39,10 @@ export const scalarDescriptor = Scalar({ export const createApp = () => { const app = new Hono(); + if (config.trustedOrigins) { + app.use(cors({ origin: config.trustedOrigins })); + } + if (config.environment !== "test") { app.use(honoLogger()); } diff --git a/app/server/core/config.ts b/app/server/core/config.ts index 38d09bec..7fb2b973 100644 --- a/app/server/core/config.ts +++ b/app/server/core/config.ts @@ -32,6 +32,7 @@ const envSchema = type({ PORT: 'string.integer.parse = "4096"', MIGRATIONS_PATH: "string?", APP_VERSION: "string = 'dev'", + TRUSTED_ORIGINS: "string?", }).pipe((s) => ({ __prod__: s.NODE_ENV === "production", environment: s.NODE_ENV, @@ -41,6 +42,7 @@ const envSchema = type({ port: s.PORT, migrationsPath: s.MIGRATIONS_PATH, appVersion: s.APP_VERSION, + trustedOrigins: s.TRUSTED_ORIGINS?.split(",").map((origin) => origin.trim()), })); const parseConfig = (env: unknown) => {