Allow dashboard fallback CORS preflight

Author: yelixir-dev

src/server.ts

@@ -135,6 +135,7 @@ function isAdminRequest(request: FastifyRequest): boolean {
 }
 
 function shouldRequireAuth(request: FastifyRequest): boolean {
+  if (request.method === "OPTIONS") return false;
   if (request.method === "GET" && request.url.startsWith("/admin/config")) return false;
   if (request.method === "GET" && request.url.startsWith("/admin/commandcode/credentials")) {
     return false;
@@ -144,12 +145,28 @@ function shouldRequireAuth(request: FastifyRequest): boolean {
 
 function isPublicAdminRequest(request: FastifyRequest): boolean {
   return (
-    request.method === "GET" &&
-    (request.url.startsWith("/admin/config") ||
-      request.url.startsWith("/admin/commandcode/credentials"))
+    request.method === "OPTIONS" ||
+    (request.method === "GET" &&
+      (request.url.startsWith("/admin/config") ||
+        request.url.startsWith("/admin/commandcode/credentials")))
   );
 }
 
+function sameHostnameOrigin(request: FastifyRequest): string | undefined {
+  const origin = request.headers.origin;
+  if (!origin) return undefined;
+  const host = request.headers.host;
+  if (!host) return undefined;
+  try {
+    const originUrl = new URL(origin);
+    const hostName = host.split(":")[0];
+    if (originUrl.protocol === "http:" && originUrl.hostname === hostName) return origin;
+  } catch {
+    return undefined;
+  }
+  return undefined;
+}
+
 function asOpenAIRequest(
   value: z.infer<typeof chatCompletionRequestSchema>,
 ): OpenAIChatCompletionRequest {
@@ -320,8 +337,22 @@ export async function createApp(options: CreateAppOptions = {}): Promise<Fastify
       },
     },
   });
-  await app.register(rateLimit, { max: config.rateLimitMax, timeWindow: config.rateLimitWindow });
   if (config.corsOrigin) await app.register(cors, { origin: config.corsOrigin });
+  app.addHook("onRequest", async (request, reply) => {
+    if (config.corsOrigin) return;
+    const origin = sameHostnameOrigin(request);
+    if (!origin) return;
+    reply.header("access-control-allow-origin", origin);
+    reply.header("vary", "origin");
+    reply.header("access-control-allow-methods", "GET,PUT,POST,OPTIONS");
+    reply.header("access-control-allow-headers", "authorization,content-type,x-api-key");
+  });
+  app.options("*", async (request, reply) => {
+    const origin = config.corsOrigin ? request.headers.origin : sameHostnameOrigin(request);
+    if (!origin && !config.corsOrigin) return reply.code(404).send();
+    return reply.code(204).send();
+  });
+  await app.register(rateLimit, { max: config.rateLimitMax, timeWindow: config.rateLimitWindow });
 
   let balanceAlertTimer: NodeJS.Timeout | undefined;
   if (balanceAlertManager) {

tests/admin-config.test.ts

@@ -248,4 +248,33 @@ describe("JSON dashboard configuration", () => {
     );
     await app.close();
   });
+
+  it("allows same-host dashboard fallback writes from portless mobile origins", async () => {
+    const file = tempConfigFile({
+      routing: { policy: "daily_burn_priority", maxInFlightPerCredential: 4 },
+      credentials: [{ id: "alpha", apiKey: "alpha-secret", weight: 1 }],
+    });
+    const app = await createApp({
+      upstream: new FakeCommandCodeClient(),
+      configEnv: { COMMANDCODE_CREDENTIALS_FILE: file },
+      configAuthPaths: [],
+      configOverrides: { bridgeApiKey: "bridge-secret", logLevel: "silent" },
+    });
+
+    const preflight = await app.inject({
+      method: "OPTIONS",
+      url: "/admin/config",
+      headers: {
+        origin: "http://100.88.251.70",
+        "access-control-request-method": "PUT",
+        "access-control-request-headers": "authorization,content-type",
+        host: "100.88.251.70:9992",
+      },
+    });
+    expect(preflight.statusCode).toBe(204);
+    expect(preflight.headers["access-control-allow-origin"]).toBe("http://100.88.251.70");
+    expect(preflight.headers["access-control-allow-headers"]).toContain("authorization");
+
+    await app.close();
+  });
 });