{"version":3,"file":"cors.mjs","sources":["../../src/middlewares/cors.ts"],"sourcesContent":["import koaCors from '@koa/cors';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = {\n  enabled?: boolean;\n  origin: string | string[] | ((ctx: any) => string | string[] | Promise<string | string[]>);\n  expose?: string | string[];\n  maxAge?: number;\n  credentials?: boolean;\n  methods?: string | string[];\n  headers?: string | string[];\n  keepHeadersOnError?: boolean;\n};\n\nconst defaults: Config = {\n  origin: '*',\n  maxAge: 31536000,\n  credentials: true,\n  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],\n  headers: ['Content-Type', 'Authorization', 'Origin', 'Accept'],\n  keepHeadersOnError: false,\n};\n\n/**\n * Determines if a request origin is allowed based on the configured origin list\n * @param requestOrigin - The origin from the request header\n * @param configuredOrigin - The origin configuration (string, array, or function)\n * @param ctx - The Koa context (for function-based origin)\n * @returns The allowed origin string or empty string if blocked\n */\nexport const matchOrigin = async (\n  requestOrigin: string | undefined,\n  configuredOrigin:\n    | string\n    | string[]\n    | ((ctx: any) => string | string[] | Promise<string | string[]>),\n  ctx?: any\n): Promise<string> => {\n  if (!requestOrigin) {\n    return '*';\n  }\n\n  let originList: string | string[];\n\n  if (typeof configuredOrigin === 'function') {\n    originList = await configuredOrigin(ctx);\n  } else {\n    originList = configuredOrigin;\n  }\n\n  // Normalize originList into an array\n  let normalizedOrigins: string[];\n  if (Array.isArray(originList)) {\n    normalizedOrigins = originList;\n  } else if (originList === undefined || originList === null) {\n    // Handle undefined/null - treat as wildcard\n    normalizedOrigins = ['*'];\n  } else {\n    // Handle comma-separated string of origins\n    normalizedOrigins = originList.split(',').map((origin) => origin.trim());\n  }\n\n  // Check if wildcard is in the normalized origins\n  if (normalizedOrigins.includes('*')) {\n    return requestOrigin;\n  }\n\n  // Check if request origin is in the normalized origins\n  return normalizedOrigins.includes(requestOrigin) ? requestOrigin : '';\n};\n\nexport const cors: Core.MiddlewareFactory<Config> = (config) => {\n  const { origin, expose, maxAge, credentials, methods, headers, keepHeadersOnError } = {\n    ...defaults,\n    ...config,\n  };\n\n  if (config.enabled !== undefined) {\n    strapi.log.warn(\n      'The strapi::cors middleware no longer supports the `enabled` option. Using it' +\n        ' to conditionally enable CORS might cause an insecure default. To disable strapi::cors, remove it from' +\n        ' the exported array in config/middleware.js'\n    );\n  }\n\n  return koaCors({\n    async origin(ctx) {\n      const requestOrigin = ctx.get('Origin');\n      return matchOrigin(requestOrigin, origin, ctx);\n    },\n    exposeHeaders: expose,\n    maxAge,\n    credentials,\n    allowMethods: methods,\n    allowHeaders: headers,\n    keepHeadersOnError,\n  });\n};\n"],"names":["defaults","origin","maxAge","credentials","methods","headers","keepHeadersOnError","matchOrigin","requestOrigin","configuredOrigin","ctx","originList","normalizedOrigins","Array","isArray","undefined","split","map","trim","includes","cors","config","expose","enabled","strapi","log","warn","koaCors","get","exposeHeaders","allowMethods","allowHeaders"],"mappings":";;AAeA,MAAMA,QAAmB,GAAA;IACvBC,MAAQ,EAAA,GAAA;IACRC,MAAQ,EAAA,QAAA;IACRC,WAAa,EAAA,IAAA;IACbC,OAAS,EAAA;AAAC,QAAA,KAAA;AAAO,QAAA,MAAA;AAAQ,QAAA,KAAA;AAAO,QAAA,OAAA;AAAS,QAAA,QAAA;AAAU,QAAA,MAAA;AAAQ,QAAA;AAAU,KAAA;IACrEC,OAAS,EAAA;AAAC,QAAA,cAAA;AAAgB,QAAA,eAAA;AAAiB,QAAA,QAAA;AAAU,QAAA;AAAS,KAAA;IAC9DC,kBAAoB,EAAA;AACtB,CAAA;AAEA;;;;;;AAMC,IACM,MAAMC,WAAc,GAAA,OACzBC,eACAC,gBAIAC,EAAAA,GAAAA,GAAAA;AAEA,IAAA,IAAI,CAACF,aAAe,EAAA;QAClB,OAAO,GAAA;AACT;IAEA,IAAIG,UAAAA;IAEJ,IAAI,OAAOF,qBAAqB,UAAY,EAAA;AAC1CE,QAAAA,UAAAA,GAAa,MAAMF,gBAAiBC,CAAAA,GAAAA,CAAAA;KAC/B,MAAA;QACLC,UAAaF,GAAAA,gBAAAA;AACf;;IAGA,IAAIG,iBAAAA;IACJ,IAAIC,KAAAA,CAAMC,OAAO,CAACH,UAAa,CAAA,EAAA;QAC7BC,iBAAoBD,GAAAA,UAAAA;AACtB,KAAA,MAAO,IAAIA,UAAAA,KAAeI,SAAaJ,IAAAA,UAAAA,KAAe,IAAM,EAAA;;QAE1DC,iBAAoB,GAAA;AAAC,YAAA;AAAI,SAAA;KACpB,MAAA;;QAELA,iBAAoBD,GAAAA,UAAAA,CAAWK,KAAK,CAAC,GAAA,CAAA,CAAKC,GAAG,CAAC,CAAChB,MAAWA,GAAAA,MAAAA,CAAOiB,IAAI,EAAA,CAAA;AACvE;;IAGA,IAAIN,iBAAAA,CAAkBO,QAAQ,CAAC,GAAM,CAAA,EAAA;QACnC,OAAOX,aAAAA;AACT;;AAGA,IAAA,OAAOI,iBAAkBO,CAAAA,QAAQ,CAACX,aAAAA,CAAAA,GAAiBA,aAAgB,GAAA,EAAA;AACrE;AAEO,MAAMY,OAAuC,CAACC,MAAAA,GAAAA;AACnD,IAAA,MAAM,EAAEpB,MAAM,EAAEqB,MAAM,EAAEpB,MAAM,EAAEC,WAAW,EAAEC,OAAO,EAAEC,OAAO,EAAEC,kBAAkB,EAAE,GAAG;AACpF,QAAA,GAAGN,QAAQ;AACX,QAAA,GAAGqB;AACL,KAAA;IAEA,IAAIA,MAAAA,CAAOE,OAAO,KAAKR,SAAW,EAAA;AAChCS,QAAAA,MAAAA,CAAOC,GAAG,CAACC,IAAI,CACb,kFACE,wGACA,GAAA,6CAAA,CAAA;AAEN;AAEA,IAAA,OAAOC,OAAQ,CAAA;AACb,QAAA,MAAM1B,QAAOS,GAAG,EAAA;YACd,MAAMF,aAAAA,GAAgBE,GAAIkB,CAAAA,GAAG,CAAC,QAAA,CAAA;YAC9B,OAAOrB,WAAAA,CAAYC,eAAeP,MAAQS,EAAAA,GAAAA,CAAAA;AAC5C,SAAA;QACAmB,aAAeP,EAAAA,MAAAA;AACfpB,QAAAA,MAAAA;AACAC,QAAAA,WAAAA;QACA2B,YAAc1B,EAAAA,OAAAA;QACd2B,YAAc1B,EAAAA,OAAAA;AACdC,QAAAA;AACF,KAAA,CAAA;AACF;;;;"}