{"version":3,"file":"cors.mjs","sources":["../../src/middlewares/cors.ts"],"sourcesContent":["import koaCors from '@koa/cors';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = {\n  enabled?: boolean;\n  origin: string | string[] | ((ctx: any) => string | string[] | Promise<string | string[]>);\n  expose?: string | string[];\n  maxAge?: number;\n  credentials?: boolean;\n  methods?: string | string[];\n  headers?: string | string[];\n  keepHeadersOnError?: boolean;\n};\n\nconst defaults: Config = {\n  origin: '*',\n  maxAge: 31536000,\n  credentials: true,\n  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],\n  headers: ['Content-Type', 'Authorization', 'Origin', 'Accept'],\n  keepHeadersOnError: false,\n};\n\n/**\n * Determines if a request origin is allowed based on the configured origin list\n * @param requestOrigin - The origin from the request header\n * @param configuredOrigin - The origin configuration (string, array, or function)\n * @param ctx - The Koa context (for function-based origin)\n * @returns The allowed origin string or empty string if blocked\n */\nexport const matchOrigin = async (\n  requestOrigin: string | undefined,\n  configuredOrigin:\n    | string\n    | string[]\n    | ((ctx: any) => string | string[] | Promise<string | string[]>),\n  ctx?: any\n): Promise<string> => {\n  if (!requestOrigin) {\n    return '*';\n  }\n\n  let originList: string | string[];\n\n  if (typeof configuredOrigin === 'function') {\n    originList = await configuredOrigin(ctx);\n  } else {\n    originList = configuredOrigin;\n  }\n\n  // Normalize originList into an array\n  let normalizedOrigins: string[];\n  if (Array.isArray(originList)) {\n    normalizedOrigins = originList;\n  } else if (originList === undefined || originList === null) {\n    // Handle undefined/null - treat as wildcard\n    normalizedOrigins = ['*'];\n  } else {\n    // Handle comma-separated string of origins\n    normalizedOrigins = originList.split(',').map((origin) => origin.trim());\n  }\n\n  // Check if wildcard is in the normalized origins\n  if (normalizedOrigins.includes('*')) {\n    return requestOrigin;\n  }\n\n  // Check if request origin is in the normalized origins\n  return normalizedOrigins.includes(requestOrigin) ? requestOrigin : '';\n};\n\nexport const cors: Core.MiddlewareFactory<Config> = (config) => {\n  const { origin, expose, maxAge, credentials, methods, headers, keepHeadersOnError } = {\n    ...defaults,\n    ...config,\n  };\n\n  if (config.enabled !== undefined) {\n    strapi.log.warn(\n      'The strapi::cors middleware no longer supports the `enabled` option. Using it' +\n        ' to conditionally enable CORS might cause an insecure default. To disable strapi::cors, remove it from' +\n        ' the exported array in config/middleware.js'\n    );\n  }\n\n  return koaCors({\n    async origin(ctx) {\n      const requestOrigin = ctx.get('Origin');\n      return matchOrigin(requestOrigin, origin, ctx);\n    },\n    exposeHeaders: expose,\n    maxAge,\n    credentials,\n    allowMethods: methods,\n    allowHeaders: headers,\n    keepHeadersOnError,\n  });\n};\n"],"names":["defaults","origin","maxAge","credentials","methods","headers","keepHeadersOnError","matchOrigin","requestOrigin","configuredOrigin","ctx","originList","normalizedOrigins","Array","isArray","undefined","split","map","trim","includes","cors","config","expose","enabled","strapi","log","warn","koaCors","get","exposeHeaders","allowMethods","allowHeaders"],"mappings":";;AAeA,MAAMA,QAAAA,GAAmB;IACvBC,MAAAA,EAAQ,GAAA;IACRC,MAAAA,EAAQ,QAAA;IACRC,WAAAA,EAAa,IAAA;IACbC,OAAAA,EAAS;AAAC,QAAA,KAAA;AAAO,QAAA,MAAA;AAAQ,QAAA,KAAA;AAAO,QAAA,OAAA;AAAS,QAAA,QAAA;AAAU,QAAA,MAAA;AAAQ,QAAA;AAAU,KAAA;IACrEC,OAAAA,EAAS;AAAC,QAAA,cAAA;AAAgB,QAAA,eAAA;AAAiB,QAAA,QAAA;AAAU,QAAA;AAAS,KAAA;IAC9DC,kBAAAA,EAAoB;AACtB,CAAA;AAEA;;;;;;AAMC,IACM,MAAMC,WAAAA,GAAc,OACzBC,eACAC,gBAAAA,EAIAC,GAAAA,GAAAA;AAEA,IAAA,IAAI,CAACF,aAAAA,EAAe;QAClB,OAAO,GAAA;AACT,IAAA;IAEA,IAAIG,UAAAA;IAEJ,IAAI,OAAOF,qBAAqB,UAAA,EAAY;AAC1CE,QAAAA,UAAAA,GAAa,MAAMF,gBAAAA,CAAiBC,GAAAA,CAAAA;IACtC,CAAA,MAAO;QACLC,UAAAA,GAAaF,gBAAAA;AACf,IAAA;;IAGA,IAAIG,iBAAAA;IACJ,IAAIC,KAAAA,CAAMC,OAAO,CAACH,UAAAA,CAAAA,EAAa;QAC7BC,iBAAAA,GAAoBD,UAAAA;AACtB,IAAA,CAAA,MAAO,IAAIA,UAAAA,KAAeI,SAAAA,IAAaJ,UAAAA,KAAe,IAAA,EAAM;;QAE1DC,iBAAAA,GAAoB;AAAC,YAAA;AAAI,SAAA;IAC3B,CAAA,MAAO;;QAELA,iBAAAA,GAAoBD,UAAAA,CAAWK,KAAK,CAAC,GAAA,CAAA,CAAKC,GAAG,CAAC,CAAChB,MAAAA,GAAWA,MAAAA,CAAOiB,IAAI,EAAA,CAAA;AACvE,IAAA;;IAGA,IAAIN,iBAAAA,CAAkBO,QAAQ,CAAC,GAAA,CAAA,EAAM;QACnC,OAAOX,aAAAA;AACT,IAAA;;AAGA,IAAA,OAAOI,iBAAAA,CAAkBO,QAAQ,CAACX,aAAAA,CAAAA,GAAiBA,aAAAA,GAAgB,EAAA;AACrE;AAEO,MAAMY,OAAuC,CAACC,MAAAA,GAAAA;AACnD,IAAA,MAAM,EAAEpB,MAAM,EAAEqB,MAAM,EAAEpB,MAAM,EAAEC,WAAW,EAAEC,OAAO,EAAEC,OAAO,EAAEC,kBAAkB,EAAE,GAAG;AACpF,QAAA,GAAGN,QAAQ;AACX,QAAA,GAAGqB;AACL,KAAA;IAEA,IAAIA,MAAAA,CAAOE,OAAO,KAAKR,SAAAA,EAAW;AAChCS,QAAAA,MAAAA,CAAOC,GAAG,CAACC,IAAI,CACb,kFACE,wGAAA,GACA,6CAAA,CAAA;AAEN,IAAA;AAEA,IAAA,OAAOC,OAAAA,CAAQ;AACb,QAAA,MAAM1B,QAAOS,GAAG,EAAA;YACd,MAAMF,aAAAA,GAAgBE,GAAAA,CAAIkB,GAAG,CAAC,QAAA,CAAA;YAC9B,OAAOrB,WAAAA,CAAYC,eAAeP,MAAAA,EAAQS,GAAAA,CAAAA;AAC5C,QAAA,CAAA;QACAmB,aAAAA,EAAeP,MAAAA;AACfpB,QAAAA,MAAAA;AACAC,QAAAA,WAAAA;QACA2B,YAAAA,EAAc1B,OAAAA;QACd2B,YAAAA,EAAc1B,OAAAA;AACdC,QAAAA;AACF,KAAA,CAAA;AACF;;;;"}