From bc097412bb4fbd9baa15632f7236e7d942b8fbbe Mon Sep 17 00:00:00 2001
From: iMaeGoo <mail1st@qq.com>
Date: Mon, 6 Jan 2025 15:24:39 +0800
Subject: [PATCH] fix: support multi cors-allow-origin for self hosted mongo
 ver #783

---
 src/server/self-hosted/mongo.js | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/server/self-hosted/mongo.js b/src/server/self-hosted/mongo.js
index 3441be9c6..8e2cc7374 100644
--- a/src/server/self-hosted/mongo.js
+++ b/src/server/self-hosted/mongo.js
@@ -181,13 +181,22 @@ function allowCors (request, response) {
 
 function getAllowedOrigin (request) {
   const localhostRegex = /^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)(:\d{1,5})?$/
-  if (localhostRegex.test(request.headers.origin)) {
-    return request.headers.origin
-  } else if (config.CORS_ALLOW_ORIGIN) {
-    // 许多用户设置安全域名时，喜欢带结尾的 "/"，必须处理掉
-    return config.CORS_ALLOW_ORIGIN.replace(/\/$/, '')
+  if (localhostRegex.test(request.headers.origin)) { // 判断是否为本地主机，如是则允许跨域
+    return request.headers.origin // Allow
+  } else if (config.CORS_ALLOW_ORIGIN) { // 如设置了安全域名则检查
+    // 适配多条 CORS 规则
+    // 以逗号分隔 CORS
+    const corsList = config.CORS_ALLOW_ORIGIN.split(',')
+    // 遍历 CORS 列表
+    for (let i = 0; i < corsList.length; i++) {
+      const cors = corsList[i].replace(/\/$/, '') // 获取当前 CORS 并去除末尾的斜杠
+      if (cors === request.headers.origin) {
+        return request.headers.origin // Allow
+      }
+    }
+    return '' // 不在安全域名列表中则禁止跨域
   } else {
-    return request.headers.origin
+    return request.headers.origin // 未设置安全域名直接 Allow
   }
 }