20 lines
821 B
TypeScript
20 lines
821 B
TypeScript
// CORS for /api/**. Restricts to the configured web client origin and answers preflight.
|
|
// Runs before 1.auth.ts (alphabetical order) so OPTIONS is handled without a token.
|
|
export default defineEventHandler((event) => {
|
|
if (!getRequestURL(event).pathname.startsWith("/api/")) return;
|
|
|
|
const origin = process.env.WEB_ORIGIN || "";
|
|
if (origin) {
|
|
setResponseHeader(event, "Access-Control-Allow-Origin", origin);
|
|
setResponseHeader(event, "Vary", "Origin");
|
|
setResponseHeader(event, "Access-Control-Allow-Headers", "authorization, content-type");
|
|
setResponseHeader(event, "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
|
|
setResponseHeader(event, "Access-Control-Max-Age", "600");
|
|
}
|
|
|
|
if (event.method === "OPTIONS") {
|
|
setResponseStatus(event, 204);
|
|
return "";
|
|
}
|
|
});
|