isa-group · Alex-GF · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025
diff --git a/api/.env.template b/api/.env.template
@@ -2,6 +2,8 @@
 
 BASE_URL_PATH= # OPTIONAL: Base URL path for the application. If not provided, SPACE will use "/api/v1" as default value.
 
+ALLOWED_ORIGINS= # OPTIONAL: Semicolon-separated list of allowed origins for CORS. If not provided, it defaults to "*".
+
 # ---------- DATABASE CONFIGURATION (MongoDB) ----------
 
 DATABASE_NAME= # OPTIONAL: Database name. If not provided, SPACE will use "space_db" as default value.

diff --git a/api/src/main/middlewares/GlobalMiddlewaresLoader.ts b/api/src/main/middlewares/GlobalMiddlewaresLoader.ts
@@ -4,22 +4,44 @@ import helmet from 'helmet';
 import { apiKeyAuthMiddleware } from './ApiKeyAuthMiddleware';
 import { analyticsTrackerMiddleware } from './AnalyticsMiddleware';
 
-const loadGlobalMiddlewares = (app: express.Application) => {
-  app.use(express.json());
-  app.use(cors({
-    origin: process.env.ENVIRONMENT === "development" ? '*' : "http://localhost:5403", // Allow all origins, adjust as necessary for your security needs
-    methods: ['GET', 'POST', 'PUT', 'DELETE'], // Specify allowed methods
-    allowedHeaders: ['Content-Type', 'x-api-key'], // Specify allowed headers
+interface OriginValidatorCallback {
+  (err: Error | null, allow?: boolean): void;
+}
+
+const originValidator = (origin: string | undefined, cb: OriginValidatorCallback): void => {
+  const allowedOrigins: string[] = ['http://localhost:5403', ...((process.env.ALLOWED_ORIGINS ?? '').split(';').map(s => s.trim()).filter(Boolean))];
+
+  // origin === undefined ocurre en curl, postman, etc. Lo puedes permitir
+  if (!origin || !process.env.ALLOWED_ORIGINS || allowedOrigins.includes(origin)) {
+    return cb(null, true);
+  }
+  return cb(null, false);
+}
+
+const corsOptions: cors.CorsOptions = {
+    origin: originValidator,
+    methods: ['GET', 'HEAD', 'OPTIONS', 'POST', 'PUT', 'DELETE'], // Specify allowed methods
     credentials: true // Allow credentials if needed
-  }));
+  }
+
+const loadGlobalMiddlewares = (app: express.Application) => {
+  app.use(express.json({limit: '2mb'}));
+  app.use(express.urlencoded({limit: '2mb', extended: true}));
+  app.use(cors(corsOptions));
+  app.options("*", cors(corsOptions)); // maneja todas las preflight
+
+  // Do not force API key auth on OPTIONS requests
+  app.use((req, res, next) => {
+    if (req.method === "OPTIONS") return res.sendStatus(204);
+    next();
+  });
+
   app.use(helmet(
     {
       crossOriginResourcePolicy: false // allows loading of files from /public
     }
   ));
   app.use(express.static('public'));
-  app.use(express.json({limit: '2mb'}));
-  app.use(express.urlencoded({limit: '2mb', extended: true}));
 
   // Apply API Key authentication middleware to all routes
   // except those defined as public