From a4407b3e40109296547a000ce296938ddb3375a5 Mon Sep 17 00:00:00 2001
From: philc <phc@ndda.fr>
Date: Fri, 27 Feb 2026 09:06:01 +0100
Subject: [PATCH] remove cors cause manage in reverse proxy

---
 apxtri/apxtri.js | 72 +-----------------------------------------------
 1 file changed, 1 insertion(+), 71 deletions(-)

diff --git a/apxtri/apxtri.js b/apxtri/apxtri.js
index 92f416d..e78ccd9 100755
--- a/apxtri/apxtri.js
+++ b/apxtri/apxtri.js
@@ -35,7 +35,6 @@ const bodyParser = require("body-parser");
 const glob = require("glob");
 const path = require("path");
 const Mustache = require("mustache");
-const cors = require("cors");
 const express = require("express");
 const process = require("process");
 
@@ -252,7 +251,7 @@ apxtri.runexpress = async (tribesdns, conf) => {
   let tribeIds = Object.keys(tribesdns);
   // context is store in /itm/tribename.json ={contexte:{routes:[],models:[{model:,tplstringslg:[]}]}
   // routes={url,route} check how to add plugin tribe route later
-  // keep only the 2 last part (.) of domain name to validate cors with it (generic domain)
+  // keep only the 2 last part (.) of domain name to validate requests with it (generic domain)
   let routes = [];
   let doms = [];
   tribeIds.forEach((t) => {
@@ -314,75 +313,6 @@ apxtri.runexpress = async (tribesdns, conf) => {
   );
   console.log(currentmod, " app.locals.tribeids", app.locals.tribeids);
 
-  // Cors management
-  let regtxt = "(test";
-  doms.forEach((d) => {
-    regtxt += `|${d.replace(/\./g, "\\.")}(:[0-9]+)?`;
-  });
-  regtxt += ")$";
-  //  let cor = false;whatwg-url
-  const regorigin = new RegExp(regtxt);
-  const allowedOrigins = [
-    'http://dev.smatchit.io:8081',
-    'https://dev.smatchit.io:8081',
-  ];
-  console.log('Allowed origins hardcoded:', allowedOrigins);
-  console.log('CORS regex pattern:', regtxt);
-  app.use(cors({
-    origin: function (origin, callback) {
-      console.log('CORS check - origin:', origin);
-      if (!origin) {
-        return callback(null, true);
-      }
-      
-      if (regorigin.test(origin) || allowedOrigins.includes(origin) || allowedOrigins.includes(origin.replace(/\/$/, ''))) {
-        return callback(null, true);
-      } else {
-        console.log(
-          `CORS blocked: ${origin} does not match pattern ${regtxt}. Add it in itm/tribename.json in dns.`
-        );
-        return callback(null, false);
-      }
-    },
-    allowedHeaders: conf.api.exposedHeaders,
-    exposedHeaders: conf.api.exposedHeaders,
-    credentials: true,
-    preflightContinue: false,
-    optionsSuccessStatus: 204,
-  }));
-
-  app.use((req, res, next) => {
-    const origin = req.headers.origin;
-    if (origin && !regorigin.test(origin) && !allowedOrigins.includes(origin) && !allowedOrigins.includes(origin.replace(/\/$/, ''))) {
-      console.log(`CORS blocked: ${origin}`);
-      return res.status(403).json({ error: 'CORS not allowed', origin });
-    }
-    next();
-  });
-  /*app.use((req, res, next) => {
-    let cor = false;
-    //console.log(req.headers)
-    if (req.headers.origin == undefined) {
-      //used for mobile access
-      cor = true;
-    } else {
-      cor = regorigin.test(req.headers.origin);
-    }
-    if (!cor)
-      console.log(
-        `The domain name ${req.headers.origin} is not allow to access for CORS settings, add it in itm/tribename.json in dns current origin allow are filter by ${regtxt}`
-      );
-    cors({
-      origin: cor,
-      allowedHeaders: conf.api.exposedHeaders,
-      exposedHeaders: conf.api.exposedHeaders,
-      credentials: true,
-      preflightContinue: false,
-      optionsSuccessStatus: 204,
-    });
-    next();
-  });
-  */
   // Routers add any routes from /routes and /plugins
   let logroute = "Routes available on this apxtri instance: \n";
   routes.forEach((r) => {