From a7fede2abaf61a4e4cc168e824ddaff5af261e2b Mon Sep 17 00:00:00 2001
From: troyeguo <13820674+troyeguo@users.noreply.github.com>
Date: Mon, 11 May 2026 19:24:39 +0800
Subject: [PATCH] fix: update CORS handling to allow all origins when no
 ALLOWED_ORIGINS are configured

---
 httpServer.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/httpServer.js b/httpServer.js
index 4f02073f..618ac538 100644
--- a/httpServer.js
+++ b/httpServer.js
@@ -58,8 +58,8 @@ if (!process.env.SERVER_USERNAME) {
 
 if (ALLOWED_ORIGINS.length === 0) {
   console.warn(
-    "Warning: No ALLOWED_ORIGINS configured. Cross-origin requests will be denied. " +
-      "Set ALLOWED_ORIGINS to a comma-separated list of trusted origins if needed."
+    "Warning: No ALLOWED_ORIGINS configured. All cross-origin requests will be allowed. " +
+      "Set ALLOWED_ORIGINS to a comma-separated list of trusted origins to restrict access."
   );
 }
 
@@ -86,7 +86,10 @@ function applyCorsHeaders(req, res) {
   res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
   res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
 
-  if (origin && ALLOWED_ORIGINS.includes(origin)) {
+  if (
+    origin &&
+    (ALLOWED_ORIGINS.length === 0 || ALLOWED_ORIGINS.includes(origin))
+  ) {
     res.setHeader("Access-Control-Allow-Origin", origin);
     res.setHeader("Access-Control-Allow-Credentials", "true");
     return true;