From bfd9da14abedc45064e72a9d8d1c421f5a59f6fb Mon Sep 17 00:00:00 2001
From: philc <phc@ndda.fr>
Date: Thu, 26 Feb 2026 13:53:43 +0100
Subject: [PATCH] allow port in cors

---
 apxtri/apxtri.js | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/apxtri/apxtri.js b/apxtri/apxtri.js
index 23b510e..549b2a7 100755
--- a/apxtri/apxtri.js
+++ b/apxtri/apxtri.js
@@ -324,19 +324,17 @@ apxtri.runexpress = async (tribesdns, conf) => {
   const regorigin = new RegExp(regtxt);
   app.use(cors({
     origin: function (origin, callback) {
-      // Allow requests with no origin (like mobile apps, curl, etc.)
       if (!origin) {
         return callback(null, true);
       }
       
-      // Check if origin matches allowed domains pattern
       if (regorigin.test(origin)) {
         return callback(null, true);
       } else {
         console.log(
           `CORS blocked: ${origin} does not match pattern ${regtxt}. Add it in itm/tribename.json in dns.`
         );
-        return callback(new Error('Not allowed by CORS'));
+        return callback(null, false);
       }
     },
     allowedHeaders: conf.api.exposedHeaders,
@@ -345,6 +343,14 @@ apxtri.runexpress = async (tribesdns, conf) => {
     preflightContinue: false,
     optionsSuccessStatus: 204,
   }));
+
+  app.use((req, res, next) => {
+    const origin = req.headers.origin;
+    if (origin && !regorigin.test(origin)) {
+      return res.status(403).json({ error: 'CORS not allowed' });
+    }
+    next();
+  });
   /*app.use((req, res, next) => {
     let cor = false;
     //console.log(req.headers)