From 03fad5006ba087e60df80ecc83704bd8141d00df Mon Sep 17 00:00:00 2001
From: grich88 <grich88@example.com>
Date: Mon, 20 Oct 2025 10:48:34 +1100
Subject: [PATCH] SECURITY: Fix CORS misconfiguration - replace wildcard with
 specific origins

- Replace origin: '*' with specific allowed origins
- Add proper credentials handling
- Restrict exposed headers and methods
- Fix WebSocket CORS configuration
- Prevents unauthorized cross-origin access to workflow APIs

Fixes: #313
---
 workflow/packages/backend/api/src/app/app.ts    |  7 ++++++-
 workflow/packages/backend/api/src/app/server.ts | 14 +++++++++++---
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/workflow/packages/backend/api/src/app/app.ts b/workflow/packages/backend/api/src/app/app.ts
index bba25407..ffe24a94 100644
--- a/workflow/packages/backend/api/src/app/app.ts
+++ b/workflow/packages/backend/api/src/app/app.ts
@@ -165,7 +165,12 @@ export const setupApp = async (app: FastifyInstance): Promise<FastifyInstance> =
 
     await app.register(fastifySocketIO, {
         cors: {
-            origin: '*',
+            origin: [
+                'https://app.aixblock.io',
+                'https://workflow.aixblock.io',
+                'https://workflow-live.aixblock.io'
+            ],
+            credentials: true
         },
         ...spreadIfDefined('adapter', await getAdapter()),
         transports: ['websocket'],
diff --git a/workflow/packages/backend/api/src/app/server.ts b/workflow/packages/backend/api/src/app/server.ts
index 848ced9d..60c2dc03 100644
--- a/workflow/packages/backend/api/src/app/server.ts
+++ b/workflow/packages/backend/api/src/app/server.ts
@@ -74,10 +74,18 @@ async function setupBaseApp(): Promise<FastifyInstance> {
 
     await app.register(formBody, { parser: (str) => qs.parse(str) })
     app.setErrorHandler(errorHandler)
+    // SECURITY FIX: Replace wildcard CORS with specific allowed origins
+    // This prevents unauthorized cross-origin access to workflow execution APIs
     await app.register(cors, {
-        origin: '*',
-        exposedHeaders: ['*'],
-        methods: ['*'],
+        origin: [
+            'https://app.aixblock.io',
+            'https://workflow.aixblock.io',
+            'https://workflow-live.aixblock.io'
+        ],
+        credentials: true,
+        exposedHeaders: ['Content-Type', 'Authorization'],
+        methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+        allowedHeaders: ['Origin', 'Content-Type', 'Accept', 'Authorization', 'X-Requested-With']
     })
     // SurveyMonkey
     app.addContentTypeParser(