- Sistemato INVITI alla App

- Completamento Profilo
- Registrazione tramite Invito, senza richiedere conferma email.

src/server/serverUtils.js

@@ -1,61 +1,97 @@
 const fs = require('fs');
 const path = require('path');
 
+const express = require('express');
+var app = express();
+
 function parseDomains() {
   try {
-    return {
+    const ris = {
       domains: JSON.parse(process.env.DOMAINS || '[]'),
       domainsAllowed: JSON.parse(process.env.DOMAINS_ALLOWED || '[]'),
     };
+    return ris;
   } catch {
     return { domains: [], domainsAllowed: [] };
   }
 }
 
-function createCorsOptions(domains = [], domainsAllowed = [], isProduction = false) {
-  // 1️⃣ Prepara la lista host ammessi (senza porta)
-  const baseHosts = isProduction
-    ? domains.flatMap((d) => [d.hostname, `api.${d.hostname}`, `test.${d.hostname}`, `testapi.${d.hostname}`])
-    : ['localhost', '127.0.0.1'];
+function buildAllowedOrigins(domains, domainsAllowed, isProduction) {
+  if (!isProduction) {
+    return [
+      'https://localhost:3000',
+      'https://localhost:8089',
+      'https://localhost:8082',
+      'https://localhost:8083',
+      'https://localhost:8084',
+      'https://localhost:8085',
+      'https://localhost:8088',
+      'https://localhost:8099',
+      'https://localhost:8094',
+      'https://192.168.8.182',
+      'https://192.168.8.182:8084/',
+      'http://192.168.8.182:8084/',
+    ];
+  }
 
-  const extraHosts = domainsAllowed.map((d) => d.replace(/^https?:\/\//, '').split(':')[0]);
+  const baseOrigins = domains.flatMap((domain) => [
+    `https://${domain.hostname}`,
+    `https://api.${domain.hostname}`,
+    `https://test.${domain.hostname}`,
+    `https://testapi.${domain.hostname}`,
+    `http://${domain.hostname}`,
+    `http://api.${domain.hostname}`,
+    `http://test.${domain.hostname}`,
+    `http://testapi.${domain.hostname}`,
+  ]);
 
-  const allowedHosts = [...new Set([...baseHosts, ...extraHosts])];
+  console.log('baseOrigins:', baseOrigins.map((origin) => `'${origin}'`).join(', '));
 
-  // 2️⃣ Funzione di validazione origin (accetta qualsiasi porta)
-  const originValidator = (origin, callback) => {
-    if (!origin) return callback(null, true); // Postman, curl, ecc.
+  const allowedExtra = domainsAllowed.flatMap((domain) => [`https://${domain}`, `http://${domain}`]);
 
-    try {
-      const url = new URL(origin);
-      const host = url.hostname.toLowerCase();
+  return [...baseOrigins, ...allowedExtra];
+}
 
-      if (allowedHosts.includes(host)) {
-        // if (!isProduction) console.log(`✅ [CORS OK] ${origin}`);
-        return callback(null, true);
-      }
+function createCorsOptions(domains, domainsAllowed, isProduction, noCors = false) {
+  if (noCors) {
+    console.log('NOCORS mode enabled');
+    return {
+      exposedHeaders: ['x-auth', 'x-refrtok'],
+    };
+  }
 
-      if (!isProduction) {
-        console.warn(`⚠️ [CORS DEV] origin non ammessa: ${origin} (host: ${host})`);
-        return callback(null, true); // in dev permetti tutto
-      }
+  const allowedOrigins = buildAllowedOrigins(domains, domainsAllowed, isProduction);
 
-      console.error(`❌ [CORS BLOCKED] ${origin}`);
-      return callback(new Error(`CORS denied for origin ${origin}`), false);
-    } catch (err) {
-      console.error(`❌ [CORS ERROR] parsing origin: ${origin} -> ${err.message}`);
-      return callback(new Error('CORS denied: invalid origin'), false);
+  let originValidator = (origin, callback) => {
+    if (!origin) {
+      // console.log('✅ Origin undefined or empty — allowing');
+      return callback(null, true);
     }
+
+    if (typeof origin !== 'string' || !/^https?:\/\/[^\s/$.?#].[^\s]*$/.test(origin)) {
+      console.error('❌ Invalid origin:', origin);
+      return callback(new Error('Origine non valida'), false);
+    }
+
+    if (allowedOrigins.includes(origin)) {
+      return callback(null, true);
+    }
+
+    console.warn('❌ Origin blocked:', origin);
+    return callback(new Error('CORS non permesso per questa origine'), false);
   };
 
-  // 3️⃣ Restituisce l’oggetto completo per il middleware cors()
+  if (app.get('env') === 'development') {
+    originValidator = (_origin, callback) => callback(null, true);
+  }
+
   return {
     origin: originValidator,
     credentials: true,
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
     allowedHeaders: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Authorization', 'x-auth', 'x-refrtok'],
     exposedHeaders: ['x-auth', 'x-refrtok'],
-    maxAge: 86400, // 24 ore di caching per la preflight response
+    maxAge: 86400,
     preflightContinue: false,
     optionsSuccessStatus: 204,
   };

src/server/startServer.js

@@ -26,9 +26,14 @@ async function startServer(app, port) {
     setupExpress(app, corsOptions);
     setupRouters(app);
     setupMailchimpRoutes(app);
+
+    console.log('DOMAINS:', domains)
+    console.log(domains.map(({ hostname, port }) => `${hostname}:${port}`).join(', '));
+    console.table(domains);
+
     // 👇 logica migliorata per gestire HTTPS anche in dev
     if (isProduction) {
-      server = await createHttpsServers(domains, app);
+      await createHttpsServers(domains, app);
     } else if (process.env.HTTPS_LOCALHOST === 'true') {
       server = await createHttpsLocalServer(app, port);
     } else {
@@ -42,11 +47,14 @@ async function startServer(app, port) {
 }
 
 async function createHttpsServers(domains, app) {
+  console.log('NUMERO DOMINI:', domains.length);
   for (const d of domains) {
+    console.log('.  DOMINIO: ', d.hostname + ' ...');
     const credentials = await getCredentials(d.hostname);
     const server = https.createServer(credentials, app);
-    server.listen(d.port, () => console.log(`⭐️ HTTPS ${d.hostname}:${d.port}`));
-    return server;
+    server.listen(d.port, () => {
+      console.log(`⭐️ HTTPS ${d.hostname} server running on port ${d.port}`)
+    });
   }
 }