diff --git a/packages/types/src/common/config-module.ts b/packages/types/src/common/config-module.ts index 0846ed094e..7964e1cfbb 100644 --- a/packages/types/src/common/config-module.ts +++ b/packages/types/src/common/config-module.ts @@ -175,6 +175,54 @@ export type ProjectConfigOptions = { * ``` */ admin_cors?: string + /** + * The Medusa backend’s API Routes are protected by Cross-Origin Resource Sharing (CORS). So, only allowed URLs or URLs matching a specified pattern can send requests to the backend’s API Routes. + * + * `auth_cors` is a string used to specify the accepted URLs or patterns for API Routes starting with `/auth`. It can either be one accepted origin, or a comma-separated list of accepted origins. + * + * Every origin in that list must either be: + * + * 1. A URL. For example, `http://localhost:7001`. The URL must not end with a backslash; + * 2. Or a regular expression pattern that can match more than one origin. For example, `.example.com`. The regex pattern that the backend tests for is `^([\/~@;%#'])(.*?)\1([gimsuy]*)$`. + * + * @example + * Some example values of common use cases: + * + * ```bash + * # Allow different ports locally starting with 700 + * AUTH_CORS=/http:\/\/localhost:700\d+$/ + * + * # Allow any origin ending with vercel.app. For example, admin.vercel.app + * AUTH_CORS=/vercel\.app$/ + * + * # Allow all HTTP requests + * AUTH_CORS=/http:\/\/.+/ + * ``` + * + * Then, set the configuration in `medusa-config.js`: + * + * ```js title="medusa-config.js" + * module.exports = { + * projectConfig: { + * auth_cors: process.env.AUTH_CORS, + * // ... + * }, + * // ... + * } + * ``` + * + * If you’re adding the value directly within `medusa-config.js`, make sure to add an extra escaping `/` for every backslash in the pattern. For example: + * + * ```js title="medusa-config.js" + * module.exports = { + * projectConfig: { + * auth_cors: "/http:\\/\\/localhost:700\\d+$/", + * // ... + * }, + * // ... + * } + * ``` + */ auth_cors?: string /** * A random string used to create cookie tokens. Although this configuration option is not required, it’s highly recommended to set it for better security.