- Sistemato INVITI alla App

- Completamento Profilo - Registrazione tramite Invito, senza richiedere conferma email.
2025-11-18 23:56:15 +01:00
parent 1a342de24a
commit 294155d5a3
17 changed files with 203 additions and 98 deletions
--- a/src/server/serverUtils.js
+++ b/src/server/serverUtils.js
@@ -1,61 +1,97 @@
 const fs = require('fs');
 const path = require('path');

+const express = require('express');
+var app = express();
+
 function parseDomains() {
  try {
-    return {
+    const ris = {
      domains: JSON.parse(process.env.DOMAINS || '[]'),
      domainsAllowed: JSON.parse(process.env.DOMAINS_ALLOWED || '[]'),
    };
+    return ris;
  } catch {
    return { domains: [], domainsAllowed: [] };
  }
 }

-function createCorsOptions(domains = [], domainsAllowed = [], isProduction = false) {
-  // 1️⃣ Prepara la lista host ammessi (senza porta)
-  const baseHosts = isProduction
-    ? domains.flatMap((d) => [d.hostname, `api.${d.hostname}`, `test.${d.hostname}`, `testapi.${d.hostname}`])
-    : ['localhost', '127.0.0.1'];
+function buildAllowedOrigins(domains, domainsAllowed, isProduction) {
+  if (!isProduction) {
+    return [
+      'https://localhost:3000',
+      'https://localhost:8089',
+      'https://localhost:8082',
+      'https://localhost:8083',
+      'https://localhost:8084',
+      'https://localhost:8085',
+      'https://localhost:8088',
+      'https://localhost:8099',
+      'https://localhost:8094',
+      'https://192.168.8.182',
+      'https://192.168.8.182:8084/',
+      'http://192.168.8.182:8084/',
+    ];
+  }

-  const extraHosts = domainsAllowed.map((d) => d.replace(/^https?:\/\//, '').split(':')[0]);
+  const baseOrigins = domains.flatMap((domain) => [
+    `https://${domain.hostname}`,
+    `https://api.${domain.hostname}`,
+    `https://test.${domain.hostname}`,
+    `https://testapi.${domain.hostname}`,
+    `http://${domain.hostname}`,
+    `http://api.${domain.hostname}`,
+    `http://test.${domain.hostname}`,
+    `http://testapi.${domain.hostname}`,
+  ]);

-  const allowedHosts = [...new Set([...baseHosts, ...extraHosts])];
+  console.log('baseOrigins:', baseOrigins.map((origin) => `'${origin}'`).join(', '));

-  // 2️⃣ Funzione di validazione origin (accetta qualsiasi porta)
-  const originValidator = (origin, callback) => {
-    if (!origin) return callback(null, true); // Postman, curl, ecc.
+  const allowedExtra = domainsAllowed.flatMap((domain) => [`https://${domain}`, `http://${domain}`]);

-    try {
-      const url = new URL(origin);
-      const host = url.hostname.toLowerCase();
+  return [...baseOrigins, ...allowedExtra];
+}

-      if (allowedHosts.includes(host)) {
-        // if (!isProduction) console.log(`✅ [CORS OK] ${origin}`);
-        return callback(null, true);
-      }
+function createCorsOptions(domains, domainsAllowed, isProduction, noCors = false) {
+  if (noCors) {
+    console.log('NOCORS mode enabled');
+    return {
+      exposedHeaders: ['x-auth', 'x-refrtok'],
+    };
+  }

-      if (!isProduction) {
-        console.warn(`⚠️ [CORS DEV] origin non ammessa: ${origin} (host: ${host})`);
-        return callback(null, true); // in dev permetti tutto
-      }
+  const allowedOrigins = buildAllowedOrigins(domains, domainsAllowed, isProduction);

-      console.error(`❌ [CORS BLOCKED] ${origin}`);
-      return callback(new Error(`CORS denied for origin ${origin}`), false);
-    } catch (err) {
-      console.error(`❌ [CORS ERROR] parsing origin: ${origin} -> ${err.message}`);
-      return callback(new Error('CORS denied: invalid origin'), false);
+  let originValidator = (origin, callback) => {
+    if (!origin) {
+      // console.log('✅ Origin undefined or empty — allowing');
+      return callback(null, true);
    }
+
+    if (typeof origin !== 'string' || !/^https?:\/\/[^\s/$.?#].[^\s]*$/.test(origin)) {
+      console.error('❌ Invalid origin:', origin);
+      return callback(new Error('Origine non valida'), false);
+    }
+
+    if (allowedOrigins.includes(origin)) {
+      return callback(null, true);
+    }
+
+    console.warn('❌ Origin blocked:', origin);
+    return callback(new Error('CORS non permesso per questa origine'), false);
  };

-  // 3️⃣ Restituisce l’oggetto completo per il middleware cors()
+  if (app.get('env') === 'development') {
+    originValidator = (_origin, callback) => callback(null, true);
+  }
+
  return {
    origin: originValidator,
    credentials: true,
    methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
    allowedHeaders: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Authorization', 'x-auth', 'x-refrtok'],
    exposedHeaders: ['x-auth', 'x-refrtok'],
-    maxAge: 86400, // 24 ore di caching per la preflight response
+    maxAge: 86400,
    preflightContinue: false,
    optionsSuccessStatus: 204,
  };