From 9792f06691985ec0927029ae3523e4ccea0ccf24 Mon Sep 17 00:00:00 2001
From: gitmotion <43588713+gitmotion@users.noreply.github.com>
Date: Fri, 20 Jun 2025 09:30:23 -0700
Subject: [PATCH] deprecate ALLOWED_IFRAME_ORIGINS

---
 .env.example           | 14 ++++++++------
 docker-compose.yml     |  7 ++++++-
 src/config/index.js    | 34 ++++++++++++----------------------
 src/middleware/cors.js |  3 ++-
 4 files changed, 28 insertions(+), 30 deletions(-)

diff --git a/.env.example b/.env.example
index f258836..27b988d 100644
--- a/.env.example
+++ b/.env.example
@@ -9,7 +9,13 @@ PORT=3000
 # You must update this to the url you use to access your site
 BASE_URL=http://localhost:3000/
 
-# Node environment (default: development)
+# Comma-separated list of allowed origins for CORS
+# (default: '*' if empty, add your base_url if you want to restrict only to base_url)
+# When adding multiple origins, base_url will be included by default
+# ALLOWED_ORIGINS: http://internalip:port,https://subdomain.example.com
+ALLOWED_ORIGINS=*
+
+# Node environment (default: production)
 NODE_ENV=production
 
 #########################################
@@ -62,8 +68,4 @@ APPRISE_SIZE_UNIT=Auto
 #########################################
 
 # Enable automatic upload on file selection (true/false, default: false)
-AUTO_UPLOAD=false
-
-# Comma-separated list of origins allowed to embed the app in an iframe (optional)
-# ALLOWED_IFRAME_ORIGINS=https://example.com,https://another.com
-ALLOWED_IFRAME_ORIGINS=
\ No newline at end of file
+AUTO_UPLOAD=false
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 2a70e37..85ceb49 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -15,9 +15,14 @@ services:
             AUTO_UPLOAD: true  # Upload without clicking button
             BASE_URL: http://localhost:3000  # The base URL for the application, You must update this to the url you use to access your site
             
+            # Comma-separated list of allowed origins for CORS
+            # (default: '*' if empty, add your base_url if you want to restrict only to base_url)
+            # When adding multiple origins, base_url will be included by default
+            # ALLOWED_ORIGINS: http://internalip:port,https://subdomain.example.com
+
             # Additional available environment variables (commented out with defaults)
             # PORT: 3000  # Server port (default: 3000)
-            # NODE_ENV: production  # Node environment (development/production)
+            # NODE_ENV: production  # Node environment (development/production) - when not using production ALLOWED_ORIGINS will be set to '*' by default
             # DEBUG: false  # Debug mode for verbose logging (default: false in production, true in development)
             # APPRISE_URL: ""  # Apprise notification URL for upload notifications (default: none)
             # APPRISE_MESSAGE: "New file uploaded - {filename} ({size}), Storage used {storage}"  # Notification message template with placeholders: {filename}, {size}, {storage}
diff --git a/src/config/index.js b/src/config/index.js
index 440e74e..c80a675 100644
--- a/src/config/index.js
+++ b/src/config/index.js
@@ -1,16 +1,5 @@
 require('dotenv').config();
-console.log('Loaded ENV:', {
-  PORT: process.env.PORT,
-  UPLOAD_DIR: process.env.UPLOAD_DIR,
-  LOCAL_UPLOAD_DIR: process.env.LOCAL_UPLOAD_DIR,
-  NODE_ENV: process.env.NODE_ENV
-});
-console.log('Loaded ENV:', {
-  PORT: process.env.PORT,
-  UPLOAD_DIR: process.env.UPLOAD_DIR,
-  LOCAL_UPLOAD_DIR: process.env.LOCAL_UPLOAD_DIR,
-  NODE_ENV: process.env.NODE_ENV
-});
+
 const { validatePin } = require('../utils/security');
 const logger = require('../utils/logger');
 const fs = require('fs');
@@ -33,7 +22,6 @@ const { version } = require('../../package.json'); // Get version from package.j
  * APPRISE_MESSAGE     - Notification message template (default provided)
  * APPRISE_SIZE_UNIT   - Size unit for notifications (optional)
  * ALLOWED_EXTENSIONS  - Comma-separated list of allowed file extensions (optional)
- * ALLOWED_IFRAME_ORIGINS - Comma-separated list of allowed iframe origins (optional)
  */
 
 // Helper for clear configuration logging
@@ -43,13 +31,20 @@ const logConfig = (message, level = 'info') => {
 };
 
 // Default configurations
-const DEFAULT_PORT = 3000;
 const DEFAULT_CHUNK_SIZE = 1024 * 1024 * 100; // 100MB
 const DEFAULT_SITE_TITLE = 'DumbDrop';
+const NODE_ENV = process.env.NODE_ENV || 'production';
 const PORT = process.env.PORT || 3000;
 const BASE_URL = process.env.BASE_URL || `http://localhost:${PORT}`;
 const DEFAULT_CLIENT_MAX_RETRIES = 5; // Default retry count
-
+console.log('Loaded ENV:', {
+  PORT,
+  UPLOAD_DIR: process.env.UPLOAD_DIR,
+  LOCAL_UPLOAD_DIR: process.env.LOCAL_UPLOAD_DIR,
+  NODE_ENV,
+  BASE_URL,
+  ALLOWED_ORIGINS: process.env.ALLOWED_ORIGINS || '*',
+});
 const logAndReturn = (key, value, isDefault = false) => {
   logConfig(`${key}: ${value}${isDefault ? ' (default)' : ''}`);
   return value;
@@ -122,12 +117,12 @@ const config = {
    * Port for the server (default: 3000)
    * Set via PORT in .env
    */
-  port: process.env.PORT || DEFAULT_PORT,
+  port: process.env.PORT,
   /**
    * Node environment (default: 'development')
    * Set via NODE_ENV in .env
    */
-  nodeEnv: process.env.NODE_ENV || 'development',
+  nodeEnv: process.env.NODE_ENV || 'production',
   /**
    * Base URL for the app (default: http://localhost:${PORT})
    * Set via BASE_URL in .env
@@ -212,10 +207,6 @@ const config = {
     process.env.ALLOWED_EXTENSIONS.split(',').map(ext => ext.trim().toLowerCase()) : 
     null,
 
-  allowedIframeOrigins: process.env.ALLOWED_IFRAME_ORIGINS
-    ? process.env.ALLOWED_IFRAME_ORIGINS.split(',').map(origin => origin.trim()).filter(Boolean)
-    : null,
-
   /**
    * Max number of retries for client-side chunk uploads (default: 5)
    * Set via CLIENT_MAX_RETRIES in .env
@@ -252,7 +243,6 @@ function validateConfig() {
 
   // Validate BASE_URL format
   try {
-    let url = new URL(config.baseUrl);
     // Ensure BASE_URL ends with a slash
     if (!config.baseUrl.endsWith('/')) {
       logger.warn('BASE_URL did not end with a trailing slash. Automatically appending "/".');
diff --git a/src/middleware/cors.js b/src/middleware/cors.js
index 1b09c03..117a27e 100644
--- a/src/middleware/cors.js
+++ b/src/middleware/cors.js
@@ -3,7 +3,8 @@ const NODE_ENV = process.env.NODE_ENV || 'production';
 let allowedOrigins = [];
 
 function setupOrigins(baseUrl) {
-    allowedOrigins = [ baseUrl ];
+    const normalizedBaseUrl = normalizeOrigin(baseUrl);
+    allowedOrigins = [ normalizedBaseUrl ];
 
     if (NODE_ENV === 'development' || ALLOWED_ORIGINS === '*') allowedOrigins = '*';
     else if (ALLOWED_ORIGINS && typeof ALLOWED_ORIGINS === 'string') {