From 683ee930362662ae283d34ce0c638178c2daed80 Mon Sep 17 00:00:00 2001
From: gitmotion <43588713+gitmotion@users.noreply.github.com>
Date: Fri, 20 Jun 2025 09:36:05 -0700
Subject: [PATCH] Revert "deprecate ALLOWED_IFRAME_ORIGINS"

This reverts commit 9792f06691985ec0927029ae3523e4ccea0ccf24.
---
 .env.example           | 14 ++++++--------
 docker-compose.yml     |  7 +------
 src/config/index.js    | 34 ++++++++++++++++++++++------------
 src/middleware/cors.js |  3 +--
 4 files changed, 30 insertions(+), 28 deletions(-)

diff --git a/.env.example b/.env.example
index 27b988d..f258836 100644
--- a/.env.example
+++ b/.env.example
@@ -9,13 +9,7 @@ PORT=3000
 # You must update this to the url you use to access your site
 BASE_URL=http://localhost:3000/
 
-# Comma-separated list of allowed origins for CORS
-# (default: '*' if empty, add your base_url if you want to restrict only to base_url)
-# When adding multiple origins, base_url will be included by default
-# ALLOWED_ORIGINS: http://internalip:port,https://subdomain.example.com
-ALLOWED_ORIGINS=*
-
-# Node environment (default: production)
+# Node environment (default: development)
 NODE_ENV=production
 
 #########################################
@@ -68,4 +62,8 @@ APPRISE_SIZE_UNIT=Auto
 #########################################
 
 # Enable automatic upload on file selection (true/false, default: false)
-AUTO_UPLOAD=false
\ No newline at end of file
+AUTO_UPLOAD=false
+
+# Comma-separated list of origins allowed to embed the app in an iframe (optional)
+# ALLOWED_IFRAME_ORIGINS=https://example.com,https://another.com
+ALLOWED_IFRAME_ORIGINS=
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 85ceb49..2a70e37 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -15,14 +15,9 @@ services:
             AUTO_UPLOAD: true  # Upload without clicking button
             BASE_URL: http://localhost:3000  # The base URL for the application, You must update this to the url you use to access your site
             
-            # Comma-separated list of allowed origins for CORS
-            # (default: '*' if empty, add your base_url if you want to restrict only to base_url)
-            # When adding multiple origins, base_url will be included by default
-            # ALLOWED_ORIGINS: http://internalip:port,https://subdomain.example.com
-
             # Additional available environment variables (commented out with defaults)
             # PORT: 3000  # Server port (default: 3000)
-            # NODE_ENV: production  # Node environment (development/production) - when not using production ALLOWED_ORIGINS will be set to '*' by default
+            # NODE_ENV: production  # Node environment (development/production)
             # DEBUG: false  # Debug mode for verbose logging (default: false in production, true in development)
             # APPRISE_URL: ""  # Apprise notification URL for upload notifications (default: none)
             # APPRISE_MESSAGE: "New file uploaded - {filename} ({size}), Storage used {storage}"  # Notification message template with placeholders: {filename}, {size}, {storage}
diff --git a/src/config/index.js b/src/config/index.js
index c80a675..440e74e 100644
--- a/src/config/index.js
+++ b/src/config/index.js
@@ -1,5 +1,16 @@
 require('dotenv').config();
-
+console.log('Loaded ENV:', {
+  PORT: process.env.PORT,
+  UPLOAD_DIR: process.env.UPLOAD_DIR,
+  LOCAL_UPLOAD_DIR: process.env.LOCAL_UPLOAD_DIR,
+  NODE_ENV: process.env.NODE_ENV
+});
+console.log('Loaded ENV:', {
+  PORT: process.env.PORT,
+  UPLOAD_DIR: process.env.UPLOAD_DIR,
+  LOCAL_UPLOAD_DIR: process.env.LOCAL_UPLOAD_DIR,
+  NODE_ENV: process.env.NODE_ENV
+});
 const { validatePin } = require('../utils/security');
 const logger = require('../utils/logger');
 const fs = require('fs');
@@ -22,6 +33,7 @@ const { version } = require('../../package.json'); // Get version from package.j
  * APPRISE_MESSAGE     - Notification message template (default provided)
  * APPRISE_SIZE_UNIT   - Size unit for notifications (optional)
  * ALLOWED_EXTENSIONS  - Comma-separated list of allowed file extensions (optional)
+ * ALLOWED_IFRAME_ORIGINS - Comma-separated list of allowed iframe origins (optional)
  */
 
 // Helper for clear configuration logging
@@ -31,20 +43,13 @@ const logConfig = (message, level = 'info') => {
 };
 
 // Default configurations
+const DEFAULT_PORT = 3000;
 const DEFAULT_CHUNK_SIZE = 1024 * 1024 * 100; // 100MB
 const DEFAULT_SITE_TITLE = 'DumbDrop';
-const NODE_ENV = process.env.NODE_ENV || 'production';
 const PORT = process.env.PORT || 3000;
 const BASE_URL = process.env.BASE_URL || `http://localhost:${PORT}`;
 const DEFAULT_CLIENT_MAX_RETRIES = 5; // Default retry count
-console.log('Loaded ENV:', {
-  PORT,
-  UPLOAD_DIR: process.env.UPLOAD_DIR,
-  LOCAL_UPLOAD_DIR: process.env.LOCAL_UPLOAD_DIR,
-  NODE_ENV,
-  BASE_URL,
-  ALLOWED_ORIGINS: process.env.ALLOWED_ORIGINS || '*',
-});
+
 const logAndReturn = (key, value, isDefault = false) => {
   logConfig(`${key}: ${value}${isDefault ? ' (default)' : ''}`);
   return value;
@@ -117,12 +122,12 @@ const config = {
    * Port for the server (default: 3000)
    * Set via PORT in .env
    */
-  port: process.env.PORT,
+  port: process.env.PORT || DEFAULT_PORT,
   /**
    * Node environment (default: 'development')
    * Set via NODE_ENV in .env
    */
-  nodeEnv: process.env.NODE_ENV || 'production',
+  nodeEnv: process.env.NODE_ENV || 'development',
   /**
    * Base URL for the app (default: http://localhost:${PORT})
    * Set via BASE_URL in .env
@@ -207,6 +212,10 @@ const config = {
     process.env.ALLOWED_EXTENSIONS.split(',').map(ext => ext.trim().toLowerCase()) : 
     null,
 
+  allowedIframeOrigins: process.env.ALLOWED_IFRAME_ORIGINS
+    ? process.env.ALLOWED_IFRAME_ORIGINS.split(',').map(origin => origin.trim()).filter(Boolean)
+    : null,
+
   /**
    * Max number of retries for client-side chunk uploads (default: 5)
    * Set via CLIENT_MAX_RETRIES in .env
@@ -243,6 +252,7 @@ function validateConfig() {
 
   // Validate BASE_URL format
   try {
+    let url = new URL(config.baseUrl);
     // Ensure BASE_URL ends with a slash
     if (!config.baseUrl.endsWith('/')) {
       logger.warn('BASE_URL did not end with a trailing slash. Automatically appending "/".');
diff --git a/src/middleware/cors.js b/src/middleware/cors.js
index 117a27e..1b09c03 100644
--- a/src/middleware/cors.js
+++ b/src/middleware/cors.js
@@ -3,8 +3,7 @@ const NODE_ENV = process.env.NODE_ENV || 'production';
 let allowedOrigins = [];
 
 function setupOrigins(baseUrl) {
-    const normalizedBaseUrl = normalizeOrigin(baseUrl);
-    allowedOrigins = [ normalizedBaseUrl ];
+    allowedOrigins = [ baseUrl ];
 
     if (NODE_ENV === 'development' || ALLOWED_ORIGINS === '*') allowedOrigins = '*';
     else if (ALLOWED_ORIGINS && typeof ALLOWED_ORIGINS === 'string') {