From 8e2ec51430969ee30ee0e1df966e1c3ace1045e1 Mon Sep 17 00:00:00 2001
From: Abdulkarim Lahmuni <abdulkarim1422.18@gmail.com>
Date: Fri, 27 Mar 2026 17:39:33 +0300
Subject: [PATCH 1/5] fix: update workflow name to reflect the dev branch for
 Cloudflare Workers deployment

---
 .github/workflows/dev.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 5f7c917..46ef892 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -1,4 +1,4 @@
-name: (main) [fe+mf] Deploy to Cloudflare Workers
+name: (dev) [fe+mf] Deploy to Cloudflare Workers
 
 on:
   push:

From db362fa157681bed83ee6e2f586945ec1648d5fa Mon Sep 17 00:00:00 2001
From: Abdulkarim Lahmuni <abdulkarim1422.18@gmail.com>
Date: Fri, 27 Mar 2026 18:00:07 +0300
Subject: [PATCH 2/5] feat: add support for allowed origins in CORS
 configuration and update environment variables

---
 .env.example              |  2 ++
 .github/workflows/dev.yml |  1 +
 vite.config.ts            | 64 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 67 insertions(+)

diff --git a/.env.example b/.env.example
index ad870bb..005874d 100644
--- a/.env.example
+++ b/.env.example
@@ -2,3 +2,5 @@ VITE_NODE_ENV=demo
 
 # FE-main host URL used by federation to load feMain/api
 VITE_FE_MAIN_MF=http://localhost:5173
+
+ALLOWED_ORIGINS=https://localhost:5173,https://127.0.0.1:5173,https://98tools.com,https://*.98tools.com
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 46ef892..702e1ad 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -30,6 +30,7 @@ jobs:
         env:
           VITE_FE_MAIN_MF: ${{ vars.VITE_FE_MAIN_MF }}
           VITE_NODE_ENV: ${{ vars.VITE_NODE_ENV }}
+          ALLOWED_ORIGINS: ${{ vars.ALLOWED_ORIGINS }}
         run: npm run build
 
       - name: Deploy worker
diff --git a/vite.config.ts b/vite.config.ts
index 6a73432..33277df 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -31,5 +31,69 @@ export default defineConfig(({ mode }) => {
       emptyOutDir: false,
       target: 'esnext',
     },
+    server: getServerConfig(env),
   };
 })
+
+function isOriginAllowed(origin: string, allowedOrigins: string[]): boolean {
+  return allowedOrigins.some(allowedOrigin => {
+    if (allowedOrigin.includes('*')) {
+      // Convert wildcard pattern to regex
+      // e.g., 'https://*.98.tools' -> /^https:\/\/.*\.98\.tools$/
+      const pattern = allowedOrigin
+        .replace(/\./g, '\\.')
+        .replace(/\*/g, '[a-zA-Z0-9-]*');
+      const regex = new RegExp(`^${pattern}$`);
+      return regex.test(origin);
+    } else {
+      // Exact match
+      return origin === allowedOrigin;
+    }
+  });
+}
+
+function getServerConfig(env: Record<string, string>): import('vite').ServerOptions | undefined {
+  const isDev = env.VITE_NODE_ENV === 'dev';
+  
+  // Parse allowed origins from environment variable
+  const allowedOriginsStr = env.ALLOWED_ORIGINS || '';
+  const allowedOrigins = allowedOriginsStr
+    .split(',')
+    .map(origin => origin.trim())
+    .filter(origin => origin.length > 0);
+
+  const serverConfig: import('vite').ServerOptions = {
+    host: true,
+    port: 5173,
+    middleware: [(req, res, next) => {
+      const origin = req.headers.origin || '';
+      
+      // Check if origin is allowed
+      if (allowedOrigins.length > 0 && isOriginAllowed(origin, allowedOrigins)) {
+        res.setHeader('Access-Control-Allow-Origin', origin);
+        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS, PATCH');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+        res.setHeader('Access-Control-Allow-Credentials', 'true');
+      }
+      
+      if (req.method === 'OPTIONS') {
+        res.writeHead(200);
+        res.end();
+      } else {
+        next();
+      }
+    }],
+  };
+
+  if (isDev) {
+    return {
+      ...serverConfig,
+      https: {
+        key: fs.readFileSync('./localhost-key.pem'),
+        cert: fs.readFileSync('./localhost.pem')
+      },
+    };
+  }
+  
+  return serverConfig;
+}
\ No newline at end of file

From 27aa259fded81132c68450bf89f8ad847f6c2f7f Mon Sep 17 00:00:00 2001
From: Abdulkarim Lahmuni <abdulkarim1422.18@gmail.com>
Date: Fri, 27 Mar 2026 18:00:23 +0300
Subject: [PATCH 3/5] fix: remove deprecated CORS headers configuration from
 _headers file

---
 public/_headers | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 public/_headers

diff --git a/public/_headers b/public/_headers
deleted file mode 100644
index ceb1579..0000000
--- a/public/_headers
+++ /dev/null
@@ -1,5 +0,0 @@
-/assets/*
-  Access-Control-Allow-Origin: *
-  Access-Control-Allow-Methods: GET, OPTIONS
-  Access-Control-Allow-Headers: *
-  Access-Control-Max-Age: 86400

From 676a4f433b56bce0bbd74fcc723582cd77938798 Mon Sep 17 00:00:00 2001
From: Abdulkarim Lahmuni <abdulkarim1422.18@gmail.com>
Date: Fri, 27 Mar 2026 18:02:10 +0300
Subject: [PATCH 4/5] refactor: remove development-specific HTTPS configuration
 from server setup

---
 vite.config.ts | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/vite.config.ts b/vite.config.ts
index 33277df..83996cd 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -53,8 +53,6 @@ function isOriginAllowed(origin: string, allowedOrigins: string[]): boolean {
 }
 
 function getServerConfig(env: Record<string, string>): import('vite').ServerOptions | undefined {
-  const isDev = env.VITE_NODE_ENV === 'dev';
-  
   // Parse allowed origins from environment variable
   const allowedOriginsStr = env.ALLOWED_ORIGINS || '';
   const allowedOrigins = allowedOriginsStr
@@ -85,15 +83,5 @@ function getServerConfig(env: Record<string, string>): import('vite').ServerOpti
     }],
   };
 
-  if (isDev) {
-    return {
-      ...serverConfig,
-      https: {
-        key: fs.readFileSync('./localhost-key.pem'),
-        cert: fs.readFileSync('./localhost.pem')
-      },
-    };
-  }
-  
   return serverConfig;
 }
\ No newline at end of file

From 943e756d3805bd5f716573988facfa8efdc7a346 Mon Sep 17 00:00:00 2001
From: Abdulkarim Lahmuni <abdulkarim1422.18@gmail.com>
Date: Fri, 27 Mar 2026 18:07:29 +0300
Subject: [PATCH 5/5] fix: update environment variable name for allowed origins
 to VITE_ALLOWED_ORIGINS

---
 .env.example              | 2 +-
 .github/workflows/dev.yml | 2 +-
 vite.config.ts            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.env.example b/.env.example
index 005874d..45d43fa 100644
--- a/.env.example
+++ b/.env.example
@@ -3,4 +3,4 @@ VITE_NODE_ENV=demo
 # FE-main host URL used by federation to load feMain/api
 VITE_FE_MAIN_MF=http://localhost:5173
 
-ALLOWED_ORIGINS=https://localhost:5173,https://127.0.0.1:5173,https://98tools.com,https://*.98tools.com
+VITE_ALLOWED_ORIGINS=https://localhost:5173,https://127.0.0.1:5173,https://98tools.com,https://*.98tools.com
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 702e1ad..39b239e 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -30,7 +30,7 @@ jobs:
         env:
           VITE_FE_MAIN_MF: ${{ vars.VITE_FE_MAIN_MF }}
           VITE_NODE_ENV: ${{ vars.VITE_NODE_ENV }}
-          ALLOWED_ORIGINS: ${{ vars.ALLOWED_ORIGINS }}
+          VITE_ALLOWED_ORIGINS: ${{ vars.VITE_ALLOWED_ORIGINS }}
         run: npm run build
 
       - name: Deploy worker
diff --git a/vite.config.ts b/vite.config.ts
index 83996cd..dde832d 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -54,7 +54,7 @@ function isOriginAllowed(origin: string, allowedOrigins: string[]): boolean {
 
 function getServerConfig(env: Record<string, string>): import('vite').ServerOptions | undefined {
   // Parse allowed origins from environment variable
-  const allowedOriginsStr = env.ALLOWED_ORIGINS || '';
+  const allowedOriginsStr = env.VITE_ALLOWED_ORIGINS || '';
   const allowedOrigins = allowedOriginsStr
     .split(',')
     .map(origin => origin.trim())